From caf78b5ea13dc20944779fb6b8da915cb5be3ff9 Mon Sep 17 00:00:00 2001
From: Pawel Mazur <pawelmazur835@gmail.com>
Date: Sat, 4 Sep 2021 22:10:34 +0200
Subject: [PATCH 1/2] New Rule - Linux-Audio-Capture

---
 .../linux/auditd/lnx_auditd_audio_capture.yml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/linux/auditd/lnx_auditd_audio_capture.yml

diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml
new file mode 100644
index 000000000..3d3c5ccd6
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml
@@ -0,0 +1,28 @@
+title: Audio Capture
+id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
+description: Detects attempts to record audio with arecord utility
+    #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay 
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/04
+references:
+   - https://attack.mitre.org/techniques/T1123/
+logsource:
+   product: linux
+   service: auditd
+detection:
+   selection:
+       type: EXECVE
+       a0:
+           - arecord
+       a1:
+           - '-vv'
+       a2:
+           - '-fdat'
+   condition: selection
+tags:
+   - attack.collection
+   - attack.t1123
+falsepositives:
+   - None
+level: low

From 5042ba65ac87557c931f3208c46d0d925ca46ee8 Mon Sep 17 00:00:00 2001
From: zakibro <48967550+zakibro@users.noreply.github.com>
Date: Sun, 5 Sep 2021 09:28:53 +0200
Subject: [PATCH 2/2] Update lnx_auditd_audio_capture.yml

Added more references about arecord.
---
 rules/linux/auditd/lnx_auditd_audio_capture.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml
index 3d3c5ccd6..42246e7a6 100644
--- a/rules/linux/auditd/lnx_auditd_audio_capture.yml
+++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml
@@ -6,6 +6,8 @@ author: 'Pawel Mazur'
 status: experimental
 date: 2021/09/04
 references:
+   - https://linux.die.net/man/1/arecord
+   - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
    - https://attack.mitre.org/techniques/T1123/
 logsource:
    product: linux