From 6e349030d9ffbc4fb89e27dfd2d3897f7b620b3d Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Mon, 8 Jun 2020 10:18:44 +0200
Subject: [PATCH] rule: suspicious camera and mic access

---
 .../sysmon/sysmon_susp_mic_cam_access.yml     | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_susp_mic_cam_access.yml

diff --git a/rules/windows/sysmon/sysmon_susp_mic_cam_access.yml b/rules/windows/sysmon/sysmon_susp_mic_cam_access.yml
new file mode 100644
index 000000000..ad3c29378
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_susp_mic_cam_access.yml
@@ -0,0 +1,35 @@
+title: Suspicious Camera and Microphone Access
+id: 62120148-6b7a-42be-8b91-271c04e281a3
+description: Detects Processes accessing the camera and microphone from suspicious folder
+author: Den Iuzvyk
+date: 2020/06/07
+reference:
+    - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+tags:
+    - attack.collection
+    - attack.t1125
+    - attack.t1123
+logsource:
+    category: sysmon
+    product: windows
+detection:
+    selection_1:
+        EventId: 13
+        TargetObject|contains:
+            - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged
+    selection_2:
+        TargetObject|contains:
+            - microphone
+            - webcam
+    selection_3:
+        TargetObject|contains:
+            - '#C:#Windows#Temp#'
+            - '#C:#$Recycle.bin#'
+            - '#C:#Temp#'
+            - '#C:#Users#Public#'
+            - '#C:#Users#Default#'
+            - '#C:#Users#Desktop#'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely, there could be conferencing software running from a Temp folder accessing the devices
+level: high
\ No newline at end of file