1. Home
  2. Detection Strategies
  3. Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS

Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS

Technique Detected:  Audio Capture | T1123

ID: DET0221
Domains: Enterprise
Analytics: AN0619, AN0620, AN0621
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0619

Unusual or unauthorized processes accessing microphone APIs (e.g., winmm.dll, avrt.dll) followed by audio file writes to user-accessible or temp directories.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventlog:Security EventCode=4688
Mutable Elements
Field Description
TimeWindow Time span in which the process accesses audio APIs and writes files, to reduce false positives.
TargetProcess Set of approved processes known to legitimately use microphone (e.g., Zoom, Teams).
WriteDirectory Allowlist of paths where legitimate apps store audio (e.g., user media folders).

AN0620

Processes accessing ALSA/PulseAudio devices or executing audio capture binaries like 'arecord', followed by file creation or suspicious child process spawning.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open
Process Creation (DC0032) linux:Sysmon EventCode=1
File Creation (DC0039) auditd:SYSCALL write
Mutable Elements
Field Description
ExecutableName Capture binaries like arecord, parecord, or ffmpeg.
DevicePath Log attempts to access /dev/snd/*, /dev/dsp, /proc/asound/*.
UserContext Whether the user has audio access rights or is running under elevated privileges.

AN0621

Processes invoking AVFoundation or CoreAudio frameworks, accessing input devices via TCC logs or Unified Logs, followed by writing AIFF/WAV/MP3 files to disk.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) macos:unifiedlog audio APIs
Process Access (DC0035) Apple TCC Logs Microphone Access Events
File Creation (DC0039) fs:fsusage File IO
Mutable Elements
Field Description
FrameworkCall CoreAudio vs. AVFoundation vs. lower-level device access APIs.
TargetDirectory Suspicious file drops (e.g., ~/Library/Caches/, /tmp/, nonstandard user folders).
AnomalousParent Unexpected parent-child relationship between non-media apps and AV capture.