Audio Capture

Title: Audio Capture
Status: test
Description:Detects attempts to record audio using the arecord and ecasound utilities.
References:
  -https://linux.die.net/man/1/arecord
  -https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
  -https://manpages.debian.org/unstable/ecasound/ecasound.1.en.html
  -https://ecasound.seul.org/ecasound/Documentation/examples.html#fconversions
Author: Pawel Mazur, Milad Cheraghi
Date: 2021-09-04
modified:2025-06-05
Tags:

• -'attack.collection'
• -'attack.t1123'

Logsource:

• product: linux
• service: auditd

Detection:
  selection_execve:
    type: 'EXECVE'
    a0: 'arecord'
    a1: '-vv'
    a2: '-fdat'
  selection_syscall_memfd_create:
    type: 'SYSCALL'
    exe|endswith: '/ecasound'
    syscall: 'memfd_create'
  condition:1 of selection_*
Falsepositives:
  -Unknown
Level: low