Audio Capture via PowerShell

Detect attacker collecting audio via PowerShell Cmdlet.

id:ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Collection
techniques:T1123 Audio Capture

Query

process where subtype.create and
  process_name == "powershell.exe" and command_line == "* WindowsAudioDevice-Powershell-Cmdlet *"

Contributors