Audio Capture

An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

ID: T1123
Tactic: Collection
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: API monitoring, Process monitoring, File monitoring
Version: 1.0

Procedure Examples

Name Description
APT37 APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input. [28]
Bandook Bandook has modules that are capable of capturing audio. [22]
Cobian RAT Cobian RAT has a feature to perform voice recording on the victim’s machine. [17]
DarkComet DarkComet can listen in to victims' conversations through the system’s microphone. [20] [21]
Derusbi Derusbi is capable of performing audio captures. [5]
DOGCALL DOGCALL can capture microphone data from the victim's machine. [19]
EvilGrab EvilGrab has the capability to capture audio from a victim machine. [6]
Flame Flame can record audio using any existing hardware recording devices. [12] [13]
InvisiMole InvisiMole can record sound using input audio devices. [18]
Janicab Janicab captured audio and sent it out to a C2 server. [15] [16]
jRAT jRAT can capture microphone recordings. [23]
Machete Machete captures audio from the computer’s microphone. [27]
MacSpy MacSpy can record the sounds from microphones on a computer. [8]
Micropsia Micropsia can perform microphone recording. [14]
NanoCore NanoCore can capture audio feeds from the system. [9] [10]
PowerSploit PowerSploit's Get-MicrophoneAudio Exfiltration module can record system microphone audio. [3] [4]
Pupy Pupy can record sound with the microphone. [1]
Remcos Remcos can capture data from the system’s microphone. [2]
Revenge RAT Revenge RAT has a plugin for microphone interception. [24] [25]
ROKRAT ROKRAT has a audio capture and eavesdropping module. [26]
T9000 T9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype. [7]
VERMIN VERMIN can perform audio capture. [11]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.

Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.