-
Notifications
You must be signed in to change notification settings - Fork 2.8k
/
T1123.yaml
60 lines (56 loc) · 2.38 KB
/
T1123.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
attack_technique: T1123
display_name: Audio Capture
atomic_tests:
- name: using device audio capture commandlet
auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95
description: |
[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)
supported_platforms:
- windows
executor:
command: |
powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
name: powershell
- name: Registry artefact when application use microphone
auto_generated_guid: 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a
description: |
[can-you-track-processes-accessing-the-camera-and-microphone](https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072)
supported_platforms:
- windows
executor:
command: |
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStart /t REG_BINARY /d a273b6f07104d601 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStop /t REG_BINARY /d 96ef514b7204d601 /f
cleanup_command: |
reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /f
name: command_prompt
- name: using Quicktime Player
auto_generated_guid: c7a0bb71-70ce-4a53-b115-881f241b795b
description: |
Use AppleScript to get Quicktime Player to record an audio file from the default microphone.
Should create a non-empty m4a file with sound from the microphone.
- requires Automation permissions but no additional microphone permissions
- saves file in /tmp by default. Other locations likely to require more permissions.
supported_platforms:
- macos
input_arguments:
filename:
description: Location of the script
type: path
default: PathToAtomicsFolder/T1123/src/T1123.sh
audiofile:
description: Location of the recorded audio file
type: path
default: /tmp/T1123.m4a
duration:
description: Length of recording to make in seconds
type: integer
default: 5
executor:
command: |
sh #{filename} #{audiofile} #{duration}
cleanup_command: |
if test -w #{audiofile}; then
rm #{audiofile}
fi
name: sh