An unpopular process accessed the microphone on the host

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

7 Days

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Severity

Low

Description

An unpopular process accessed the microphone on the host, the process can abuse this device.

Attacker's Goals

  • Surround recording or video capture in the workplace may leak corporate data.
  • Surround recording or video capture of the user space can expose them to potential risks as worker extortion, sextortion, etc.

Investigative actions

  • Check if the application that registered in the Microsoft privacy settings (ConsentStore in registry) is legitimate.
  • Check if the user was aware of the use of the device.

Variations

An unpopular process accessed the webcam on the host

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Severity

Low

Description

An unpopular process accessed the webcam on the host, the process can abuse this device.

Attacker's Goals

  • Surround recording or video capture in the workplace may leak corporate data.
  • Surround recording or video capture of the user space can expose them to potential risks as worker extortion, sextortion, etc.

Investigative actions

  • Check if the application that registered in the Microsoft privacy settings (ConsentStore in registry) is legitimate.
  • Check if the user was aware of the use of the device.