8000 Added new tool for recording audio - ecasound by CheraghiMilad · Pull Request #5385 · SigmaHQ/sigma · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Added new tool for recording audio - ecasound #5385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 21, 2025
Merged

Added new tool for recording audio - ecasound #5385

merged 5 commits into from
May 21, 2025

Conversation

CheraghiMilad
Copy link
Contributor
@CheraghiMilad CheraghiMilad commented Apr 26, 2025
edited by phantinuss
Loading

Summary of the Pull Request

The Audio Capture technique detects attempts to record audio using the arecord and ecasound utilities. These tools are commonly used in Linux environments for audio recording and sound manipulation. arecord is a command-line utility for recording audio via ALSA (Advanced Linux Sound Architecture), while ecasound is an audio processing tool that provides advanced features for multi-track recording. Detection rules are based on monitoring for specific execution commands or system calls that involve these utilities.

Changelog

  • update: Audio Capture - add ecasound detection

Example Log Event

{
  "type": "SYSCALL",
  "msg": "audit(1745697050.075:2344):",
  "arch": "c000003e",
  "syscall": 319,
  "success": "yes",
  "exit": 19,
  "a0": "7ffe5b4fdb40",
  "a1": 3,
  "a2": 0,
  "a3": 0,
  "items": 0,
  "ppid": 17756,
  "pid": 18259,
  "auid": 1000,
  "uid": 1000,
  "gid": 1000,
  "euid": 1000,
  "suid": 1000,
  "fsuid": 1000,
  "egid": 1000,
  "sgid": 1000,
  "fsgid": 1000,
  "tty": "pts3",
  "ses": 3,
  "comm": "ecasound",
  "exe": "/usr/bin/ecasound",
  "subj": "unconfined",
  "key": "anon_file_create"
}

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Linux Pull request add/update linux related rules labels Apr 26, 2025
frack113
frack113 reviewed Apr 27, 2025
View reviewed changes
CheraghiMilad and others added 2 commits April 27, 2025 19:52
@CheraghiMilad @frack113
Update rules/linux/auditd/lnx_auditd_audio_capture.yml
d61d21d
< 8000 pre class="color-fg-muted ws-pre-wrap">Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
@CheraghiMilad @frack113
Update rules/linux/auditd/lnx_auditd_audio_capture.yml
df3d991 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
frack113
frack113 approved these changes Apr 28, 2025
View reviewed changes
Copy link
Member
@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nasbench nasbench requested a review from phantinuss May 20, 2025 21:10
@nasbench nasbench added 2nd Review Needed PR need a second approval and removed Ready to Merge labels May 20, 2025
phantinuss
phantinuss approved these changes May 21, 2025
View reviewed changes
@phantinuss phantinuss merged commit 304b019 into SigmaHQ:master May 21, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frack113 frack113 frack113 approved these changes

@phantinuss phantinuss phantinuss approved these changes

Assignees
No one assigned
Labels
2nd Review Needed PR need a second approval Linux Pull request add/update linux related rules Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@CheraghiMilad @frack113 @phantinuss @nasbench
0