← Library
kqlElastic-2.0from elastic/detection-rules

Linux Audio Recording Activity Detected

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1123
Rule sourcerules/linux/collection_potential_audio_recording_activity.toml
event.category:process and host.os.type:"linux" and event.type:"start" and event.action:("exec" or "exec_event" or "start") and (
  process.name:("arecord" or "parec" or "pw-record" or "ecasound") or
  (process.name:"pw-cat" and process.args:"-r") or
  (process.name:"ffmpeg" and process.args:"-i")
) and
not process.args:("-h" or "--help" or "--version")