T1123: Audio Capture

View on MITRE ATT&CK	T1123
Tactic(s)	Collection
Associated CAPEC Patterns	Probe Audio and Video Peripherals (CAPEC-634)

Data from MITRE ATT&CK®:

An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

How to detect this technique

MITRE ATT&CK Data Components

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

OS API Execution (Process)

Operating system function/method calls executed by a process

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

Registry artefact when application use microphone

using Quicktime Player

using device audio capture commandlet

Sigma Detections for this Technique

Audio Capture via PowerShell

windows process creation

Linux Capabilities Discovery

Suspicious Camera and Microphone Access

windows registry event

Audio Capture

OpenCanary - SIP Request

opencanary application

Processes Accessing the Microphone and Webcam

Audio Capture via SoundRecorder

windows process creation