Audio Capture

An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

ID: T1123

Tactic: Collection

Platform:  Linux, macOS, Windows

Permissions Required:  User

Data Sources:  API monitoring, Process monitoring, File monitoring

Version: 1.0



APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.[1]


Bandook has modules that are capable of capturing audio.[2]


Derusbi is capable of performing audio captures.[3]


EvilGrab has the capability to capture audio from a victim machine.[4]


Flame can record audio using any existing hardware recording devices.[5][6]


InvisiMole can record sound using input audio devices.[7]


Janicab captured audio and sent it out to a C2 server.[8][9]


MacSpy can record the sounds from microphones on a computer.[10]


PowerSploit's Get-MicrophoneAudio Exfiltration module can record system microphone audio.[11][12]


Pupy can record sound with the microphone.[13]


T9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.[14]


VERMIN can perform audio capture.[15]


Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.

Identify and block potentially malicious software that may be used to record audio by using whitelisting [16] tools, like AppLocker, [17] [18] or Software Restriction Policies [19] where appropriate. [20]


Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.

Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.