New Rule - Linux-Audio-Capture

rules/linux/auditd/lnx_auditd_audio_capture.yml

@@ -0,0 +1,28 @@
+title: Audio Capture
+id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
+description: Detects attempts to record audio with arecord utility
+    #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay 
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/04
+references:
+   - https://attack.mitre.org/techniques/T1123/
+logsource:
+   product: linux
+   service: auditd
+detection:
+   selection:
+       type: EXECVE
+       a0:
+           - arecord
+       a1:
+           - '-vv'
+       a2:
+           - '-fdat'
+   condition: selection
+tags:
+   - attack.collection
+   - attack.t1123
+falsepositives:
+   - None
+level: low