Can you track processes accessing the camera and microphone?

  • What process was using the camera or microphone?
  • When was the last session?
  • How long was that session?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\

Testing RAT-like behaviour

Monitoring

<TargetObject condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\</TargetObject> <!-- When a process accesses bluetooth, location, webcam, microphone etc, the timestamps of last access are updated here. HKLM and HCKU -->

Conclusion

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Brain Quiz Hack Free Resources Generator

Get an Email if Someone SSHs into Your Box

Transaction fees

{UPDATE} Bubble Rainbow 2016 Hack Free Resources Generator

Make your Data Salty

{UPDATE} Vihannesten Piirustus Värityskirja - söpö karikatyyri art ideoita sivut lapsille Hack Free…

How To Implement a Zero-Trust Lab with HashiCorp in an Hour

The Apache Software Foundation has released fixes to contain an actively exploited zero-day…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
svch0st

svch0st

More from Medium

Investigating Conti Ransomware on Microsoft Exchange with Splunk -TryHackMe

Fixing the Zeek Add-on for Splunk in DetectionLab

THM: Mr. Phisher

Technical analysis of enterprise ransomware — Part One