Threat Hunting for Evidence of Eavesdropping
We’ve all had the paranoia that someone is listening to our phone conversations. You mean you’ve never heard that clicking noise or heavy breathing that isn’t coming from the primary conversation? Okay, maybe I’m just paranoid. In many organizations, the ability for an adversary to eavesdrop on a conversation would be considered extremely unwanted behavior. Going down this rabbit hole a bit more. If an adversary is using this technique to listen in on an executive’s conversation to, perhaps, get insider info to make a trade. Or what if that executive was a high ranking military official discussing details of an upcoming mission or troop movement? Before you start ripping out every microphone or speaker from your devices, consider who your adversaries are or might be. Based on your threat modelling, you might determine this is an area that warrants some hunting.
Real World Example and Not FUD
When it comes to hunting, the focus is typically on advanced adversaries—the ones whose tools and techniques may not have a well-defined signature. One recent examples is APT10. No, not a new group, but new in their use of a particular piece of malware. Routinely this group leveraged malware, dubbed EvilGrab, to accomplish its objectives. A report by PwC UK outlines the use of EvilGrab by APT10 for a myriad of reasons, to include capturing video and audio from victim hosts. Effectively, turning any infected host into a covert recording device. A few other examples exist, but suffice it to say, this technique is leveraged by some of the most sophisticated attackers in the world.
What to Hunt For
One excellent resource recently published by Red Canary provides some guidance. The resource, effectively named the Atomic Red Team, takes the techniques from the MITRE ATT&CK matrix and provides a means to test them against your detection capabilities. Although not comprehensive, the examples lend themselves as a starting point to help formulate the details in which to hunt for evil within your network. Because we have assessed that the existence of audio capture in our environment as highly unwanted, the subsequent hunt will be formulated around this behavior. The ATT&CK matrix classifies this technique as Collection, and more specifically, Audio Capture.
Atomic Red Team – Audio Capture Example
The Atomic Red Team (ART) example illustrates the ability for an adversary to capture audio by invoking a command, which then stores the capture as a .wma file. The file could then be exfiltrated and listened to glean the information sought after.
The specific command from this technique is:
SoundRecorder /FILE test.wma /DURATION 0000:00:30
Figure 1. Example of audio collection from the Atomic Red Team
Depending on your environment, use of SoundRecorder could be normal. It would be less normal for it to be invoked via cmd.exe. Leveraging the Sqrrl platform, the work of sifting through a mass amount of data looking for evidence that SoundRecorder is being invoked in a not-so-standard fashion becomes manageable.
If the adversary were to choose another method or application (even home grown) to collect audio, looking for data being staged would be another avenue. For example, large amounts (both in size and number of files) of audio files beginning to accumulate would be something to hunt for.
Enter Windows 10
Your organization is ahead of the curve. You’ve adopted and rolled out the latest version to all employees and the experience has been positive. Your next hunt is going to be looking for audio collection, but you quickly realize that SoundRecorder is not there. Breathing a sigh of relief, you log off and head home for the day. Just kidding. In reality, and in true Microsoft fashion, SoundRecoder has been simply replaced and made “better.” In Windows 10, the built-in application is called Voice Recorder. By now you’re probably wondering a few things: can you record sound via the command line in a similar fashion to SoundRecorder and possibly, isn’t there a broader way to look for evidence that this type of activity is occurring? No and yes. Thankfully, there isn’t an as easy way of invoking Voice Recorder from the command line without some custom PowerShell or .NET programming. Since Vista, much progress has been made in terms of granular logging. Application and Service event logs allow detailed views into areas that might have not been previously logged or they were so buried in the Application log, that no one dared look. Armed with this information, evidence that an application is using audio can be found in the Microsoft Windows Audio PlaybackManger event log. To find evidence of potential mis-use here are two potential options:
1. Hunt for Event ID 20, Source: Audio, Type: 3 in the Microsoft Windows Audio PlaybackManager event log. In my tests, I noted this event was written multiple times while Voice Recorder was recording.
2. Look for evidence that the Voice Recorder App is starting. Most Sysmon configs do not have this enumerated, so it might be best to add it to your config. I have chosen to forward this data via NXLog for the Microsoft-Windows-TWinUI Operational log.
Looking for WindowsSoundRecorder could point to use, and potentially legitimate use, of this application. Basically, this could be a noise way to attempt to determine unwanted audio capture if done manually.
Enriching Your Analytics
Now that you have some ideas to find this behavior, it’s time to enrich your alerts within your environment. Based on what has been discussed, here is an example alert that could be setup to rapidly identify potentially unwanted audio capture within your organization.
A good hunt truly starts with a well-informed hypothesis. Depending on who your adversary is and what you’re trying to protect from them will help to direct and prioritize your hunt. If your organization records audio frequently, this type of hunt could be very noisy. On the other hand, your organization may not permit audio recording. In that case, any use of this would be very interesting. Numerous resources exist that are proving to be great starting points for what to hunt for. Leverage these tools can help you to better understand what you need to be looking for within your environment.
For further information:
- View Matthew Hosbourgh’s Threat Hunter Profile.
- Read his post on examining network patterns hunting Powershells.
- Check out his post on examining the host hunting misbehaving PowerShells.