Processes Accessing the Microphone and Webcam

Severity: medium
Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Source: upstream

Potential adversaries accessing the microphone and webcam in an endpoint.

MITRE ATT&CK coverage

Tactic	Techniques
Collection	`T1123` Audio Capture

Event coverage

Provider	Event ID	Title
Security-Auditing	4656	A handle to an object was requested.
Security-Auditing	4657	A registry value was modified.
Security-Auditing	4663	An attempt was made to access an object.

Stages and Predicates

Stage 1: `selection`

or:
ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged'
ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ObjectName`	match	`\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged` `\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Azure AD Health Monitoring Agent Registry Keys Access [sigma]
Azure AD Health Service Agents Registry Keys Access [sigma]
LSASS Access From Non System Account [sigma]
WCE wceaux.dll Access [sigma]
Potential Secure Deletion with SDelete [sigma]
Potentially Suspicious AccessMask Requested From LSASS [sigma]
SysKey Registry Keys Access [sigma]
Sysmon Channel Reference Deletion [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Azure AD Health Monitoring Agent Registry Keys Access [sigma]
Azure AD Health Service Agents Registry Keys Access [sigma]
LSASS Access From Non System Account [sigma]
WCE wceaux.dll Access [sigma]
Potential Secure Deletion with SDelete [sigma]
Potentially Suspicious AccessMask Requested From LSASS [sigma]
SysKey Registry Keys Access [sigma]
Sysmon Channel Reference Deletion [sigma]