Processes accessing the microphone and webcam may indicate adversarial reconnaissance to capture audio or visual data, as this behavior is commonly associated with initial compromise and data exfiltration. SOC teams should proactively hunt for this activity in Azure Sentinel to identify potential espionage or surveillance operations early.
Detection Rule
title: Processes Accessing the Microphone and Webcam
id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
status: test
description: Potential adversaries accessing the microphone and webcam in an endpoint.
references:
- https://twitter.com/duzvik/status/1269671601852813320
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-07
modified: 2021-11-27
tags:
- attack.collection
- attack.t1123
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4657
- 4656
- 4663
ObjectName|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged'
condition: selection
falsepositives:
- Unknown
level: medium
imRegistry
| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged"Scenario: System Maintenance Task Using Webcam
Description: A legitimate system maintenance task, such as Windows Camera app or third-party tools like OBS Studio, is used to capture video for documentation or training purposes.
Filter/Exclusion: Exclude processes associated with known legitimate video capture tools (e.g., camera.exe, obs64.exe) or filter by user account (e.g., User: IT-Admin).
Scenario: Scheduled Job for Video Conferencing
Description: A scheduled job runs a video conferencing application like Zoom or Microsoft Teams to conduct a meeting.
Filter/Exclusion: Exclude processes initiated by a known user or group (e.g., User: MeetingScheduler) or filter by process name (e.g., Zoom.exe, Teams.exe).
Scenario: Security Software Performing Webcam Scan
Description: A security tool like Malwarebytes or Bitdefender performs a webcam scan to check for malware.
Filter/Exclusion: Exclude processes associated with known security software (e.g., mbam.exe, bdagent.exe) or filter by process parent (e.g., task scheduler).
Scenario: User Accessing Webcam for Live Streaming
Description: A user is live-streaming using a tool like Twitch or YouTube Live and accesses the webcam.
Filter/Exclusion: Exclude processes related to streaming platforms (e.g., twitch.exe, youtube-studio.exe) or filter by user account (e.g., User: ContentCreator).
Scenario: Administrative Task for Camera Calibration
Description: An admin is calibrating a camera using a tool like Logitech Camera Settings or a built-in OS utility.
Filter/Exclusion: Exclude processes associated with