Access to Microphone Device

Metadata

collaborators

[‘Roberto Rodriguez @Cyb3rWard0g’, ‘Jose Rodriguez @Cyb3rPandaH’]

creation date

2020/06/09

modification date

2020/09/20

playbook related

[]

Hypothesis

Adversaries might be accessing the microphone in endpoints over the network.

Technical Context

None

Offensive Tradecraft

An adversary can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. Based on some research from @svch0st you can to determine when and how long a process had access to the microphone of an endpoint by monitoring the following registry key

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone.

Mordor Test Data

metadata

https://mordordatasets.com/notebooks/small/windows/09_collection/SDWIN-200609225055.html

link

https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/collection/host/msf_record_mic.zip

Analytics

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor Dataset

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/collection/host/msf_record_mic.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Analytic I

Look for any creation or modification of registry keys under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged

Data source

Event Provider

Relationship

Event

Windows Registry

Microsoft-Windows-Sysmon/Operational

Process created Windows registry key

12

Windows Registry

Microsoft-Windows-Sysmon/Operational

Process modified Windows registry key value

13

Windows Registry

Microsoft-Windows-Sysmon/Operational

Process modified Windows registry key value

14

Windows Registry

Microsoft-Windows-Sysmon/Operational

Process modified Windows registry key

14

df = spark.sql(
'''
SELECT EventID, Message
FROM mordorTable
WHERE Channel = 'Microsoft-Windows-Sysmon/Operational'
  AND EventID IN (12,13,14)
  AND LOWER(TargetObject) RLIKE '.*consentstore\\\\\\\microphone.*'
'''
)
df.show(10,False)
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|EventID|Message                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|12     |Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-06-10 02:51:54.724
ProcessGuid: {6a910b9d-480e-5ee0-7e03-000000000400}
ProcessId: 7920
Image: C:\windows\system32\svchost.exe
TargetObject: HKU\S-1-5-21-526538150-889687948-186688817-1106\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged                                                          |
|13     |Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-06-10 02:51:54.724
ProcessGuid: {6a910b9d-480e-5ee0-7e03-000000000400}
ProcessId: 7920
Image: C:\windows\system32\svchost.exe
TargetObject: HKU\S-1-5-21-526538150-889687948-186688817-1106\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\Value
Details: Allow                                                   |
|12     |Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-06-10 02:51:55.398
ProcessGuid: {6a910b9d-480e-5ee0-7e03-000000000400}
ProcessId: 7920
Image: C:\windows\system32\svchost.exe
TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone                                                                                                                 |
|12     |Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-06-10 02:51:55.398
ProcessGuid: {6a910b9d-480e-5ee0-7e03-000000000400}
ProcessId: 7920
Image: C:\windows\system32\svchost.exe
TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged                                                                                                     |
|12     |Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-06-10 02:51:55.398
ProcessGuid: {6a910b9d-480e-5ee0-7e03-000000000400}
ProcessId: 7920
Image: C:\windows\system32\svchost.exe
TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe                                           |
|13     |Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-06-10 02:51:55.398
ProcessGuid: {6a910b9d-480e-5ee0-7e03-000000000400}
ProcessId: 7920
Image: C:\windows\system32\svchost.exe
TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe\LastUsedTimeStart
Details: QWORD (0x01d63ed2-0x19fba509)|
|12     |Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-06-10 02:51:55.398
ProcessGuid: {6a910b9d-480e-5ee0-7e03-000000000400}
ProcessId: 7920
Image: C:\windows\system32\svchost.exe
TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe                                           |
|13     |Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-06-10 02:51:55.398
ProcessGuid: {6a910b9d-480e-5ee0-7e03-000000000400}
ProcessId: 7920
Image: C:\windows\system32\svchost.exe
TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe\LastUsedTimeStop
Details: QWORD (0x00000000-0x00000000) |
|12     |Registry object added or deleted:
RuleName: -
EventType: CreateKey
UtcTime: 2020-06-10 02:52:00.951
ProcessGuid: {6a910b9d-480e-5ee0-7e03-000000000400}
ProcessId: 7920
Image: C:\windows\system32\svchost.exe
TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe                                           |
|13     |Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-06-10 02:52:00.951
ProcessGuid: {6a910b9d-480e-5ee0-7e03-000000000400}
ProcessId: 7920
Image: C:\windows\system32\svchost.exe
TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe\LastUsedTimeStop
Details: QWORD (0x01d63ed2-0x1d4adb0a) |
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Analytic II

Look for any creation or modification of registry keys under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged

Data source

Event Provider

Relationship

Event

Windows Registry

Microsoft-Windows-Security-Auditing

Process accessed Windows registry key

4663

Windows Registry

Microsoft-Windows-Security-Auditing

User accessed Windows registry key

4663

Windows Registry

Microsoft-Windows-Security-Auditing

Process requested access Windows registry key

4656

Windows Registry

Microsoft-Windows-Security-Auditing

User requested access Windows registry key

4656

Windows Registry

Microsoft-Windows-Security-Auditing

Process modified Windows registry key value

4657

Windows Registry

Microsoft-Windows-Security-Auditing

User modified Windows registry key value

4657

df = spark.sql(
'''
SELECT EventID, Message
FROM mordorTable
WHERE LOWER(Channel) = 'security'
  AND EventID IN (4656,4663,4657)
  AND LOWER(ObjectName) RLIKE '.*consentstore\\\\\\\microphone.*'
'''
)
df.show(10,False)
+-------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|EventID|Message                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+-------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|4656   |A handle to an object was requested.

Subject:
	Security ID:		S-1-5-18
	Account Name:		WORKSTATION6$
	Account Domain:		MORDOR
	Logon ID:		0x3E7

Object:
	Object Server:		Security
	Object Type:		Key
	Object Name:		\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe
	Handle ID:		0x2f4
	Resource Attributes:	-

Process Information:
	Process ID:		0x1ef0
	Process Name:		C:\Windows\System32\svchost.exe

Access Request Information:
	Transaction ID:		{00000000-0000-0000-0000-000000000000}
	Accesses:		DELETE
				READ_CONTROL
				WRITE_DAC
				WRITE_OWNER
				Query key value
				Set key value
				Create sub-key
				Enumerate sub-keys
				Notify about changes to keys
				Create Link
				
	Access Reasons:		-
	Access Mask:		0xF003F
	Privileges Used for Access Check:	-
	Restricted SID Count:	0|
|4663   |An attempt was made to access an object.

Subject:
	Security ID:		S-1-5-18
	Account Name:		WORKSTATION6$
	Account Domain:		MORDOR
	Logon ID:		0x3E7

Object:
	Object Server:		Security
	Object Type:		Key
	Object Name:		\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe
	Handle ID:		0x2f4
	Resource Attributes:	-

Process Information:
	Process ID:		0x1ef0
	Process Name:		C:\Windows\System32\svchost.exe

Access Request Information:
	Accesses:		Set key value
				
	Access Mask:		0x2                                                                                                                                                                                                                                                                                                                                 |
|4657   |A registry value was modified.

Subject:
	Security ID:		S-1-5-18
	Account Name:		WORKSTATION6$
	Account Domain:		MORDOR
	Logon ID:		0x3E7

Object:
	Object Name:		\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe
	Object Value Name:	LastUsedTimeStop
	Handle ID:		0x2f4
	Operation Type:		New registry value created

Process Information:
	Process ID:		0x1ef0
	Process Name:		C:\Windows\System32\svchost.exe

Change Information:
	Old Value Type:		-
	Old Value:		-
	New Value Type:		REG_QWORD
	New Value:		0x0                                                                                                                                                                                                                                                                                                        |
|4656   |A handle to an object was requested.

Subject:
	Security ID:		S-1-5-18
	Account Name:		WORKSTATION6$
	Account Domain:		MORDOR
	Logon ID:		0x3E7

Object:
	Object Server:		Security
	Object Type:		Key
	Object Name:		\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe
	Handle ID:		0x1dc
	Resource Attributes:	-

Process Information:
	Process ID:		0x1ef0
	Process Name:		C:\Windows\System32\svchost.exe

Access Request Information:
	Transaction ID:		{00000000-0000-0000-0000-000000000000}
	Accesses:		DELETE
				READ_CONTROL
				WRITE_DAC
				WRITE_OWNER
				Query key value
				Set key value
				Create sub-key
				Enumerate sub-keys
				Notify about changes to keys
				Create Link
				
	Access Reasons:		-
	Access Mask:		0xF003F
	Privileges Used for Access Check:	-
	Restricted SID Count:	0|
|4663   |An attempt was made to access an object.

Subject:
	Security ID:		S-1-5-18
	Account Name:		WORKSTATION6$
	Account Domain:		MORDOR
	Logon ID:		0x3E7

Object:
	Object Server:		Security
	Object Type:		Key
	Object Name:		\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe
	Handle ID:		0x1dc
	Resource Attributes:	-

Process Information:
	Process ID:		0x1ef0
	Process Name:		C:\Windows\System32\svchost.exe

Access Request Information:
	Accesses:		Set key value
				
	Access Mask:		0x2                                                                                                                                                                                                                                                                                                                                 |
|4657   |A registry value was modified.

Subject:
	Security ID:		S-1-5-18
	Account Name:		WORKSTATION6$
	Account Domain:		MORDOR
	Logon ID:		0x3E7

Object:
	Object Name:		\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#System32#WindowsPowerShell#v1.0#powershell.exe
	Object Value Name:	LastUsedTimeStop
	Handle ID:		0x1dc
	Operation Type:		Existing registry value modified

Process Information:
	Process ID:		0x1ef0
	Process Name:		C:\Windows\System32\svchost.exe

Change Information:
	Old Value Type:		REG_QWORD
	Old Value:		0x0
	New Value Type:		REG_QWORD
	New Value:		0x1D63ED21D4ADB0A                                                                                                                                                                                                                                                                          |
+-------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Known Bypasses

Idea

Playbook

False Positives

None

Hunter Notes

None

References

  • https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072