Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Camera and Microphone Access

Detects Processes accessing the camera and microphone from suspicious folder

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Den IuzvykCreated Sun Jun 07Updated Sun Oct 0962120148-6b7a-42be-8b91-271c04e281a3windows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic
Detection Logic3 selectors
detection:
    selection_1:
        TargetObject|contains|all:
            - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\'
            - '\NonPackaged'
    selection_2:
        TargetObject|contains:
            - microphone
            - webcam
    selection_3:
        TargetObject|contains:
            - ':#Windows#Temp#'
            - ':#$Recycle.bin#'
            - ':#Temp#'
            - ':#Users#Public#'
            - ':#Users#Default#'
            - ':#Users#Desktop#'
    condition: all of selection_*
False Positives

Unlikely, there could be conferencing software running from a Temp folder accessing the devices

References
1
Resolving title…
medium.com
MITRE ATT&CK
Rule Metadata
Rule ID
62120148-6b7a-42be-8b91-271c04e281a3
Status
test
Level
high
Type
Detection
Created
Sun Jun 07
Modified
Sun Oct 09
Author
Den Iuzvyk
Path
rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml
Raw Tags
attack.collectionattack.t1125attack.t1123
View on GitHub