Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0619: Analytic 0619

Unusual or unauthorized processes accessing microphone APIs (e.g., winmm.dll, avrt.dll) followed by audio file writes to user-accessible or temp directories.

EnterpriseAN0619AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because microphone access can turn an endpoint into a source of sensitive business conversations, meetings, or regulated information. The practical value is not just spotting audio recording; it is validating whether the organization can distinguish legitimate conferencing, accessibility, and recording tools from unusual processes that call Windows microphone-related APIs and then write audio files into user-accessible or temporary locations.

Executive priority

Treat this as a privacy, insider-risk, and incident-readiness control question for Windows endpoints: do security teams have the telemetry and process context needed to explain microphone use when an investigation, audit, or executive concern arises? Priority should be higher for environments handling sensitive negotiations, legal matters, regulated data, or executive communications, but local risk depends on endpoint roles, approved software, and monitoring coverage.

Technical view

The supplied ATT&CK analytic is Windows-focused and describes unusual or unauthorized processes accessing microphone APIs such as winmm.dll or avrt.dll followed by audio file writes to user-accessible or temp directories. SOC and detection engineering teams should validate whether endpoint telemetry can correlate process identity, loaded modules or API/library usage where available, and subsequent file creation paths. Because no official detection logic or relationships were supplied, implementation should be environment-specific and should baseline approved audio applications before alerting on deviations.

Likely telemetry

  • Windows endpoint process creation and process lineage
  • Module load or API/library usage telemetry for microphone-related components such as winmm.dll and avrt.dll, where collected
  • File creation/write telemetry for audio-like files in user profile, user-accessible, or temporary directories
  • Application inventory or allowlist context for approved conferencing, recording, accessibility, and communications tools
  • User/session context to determine whether microphone use aligns with expected activity

Detection direction

  • Confirm that Windows endpoint telemetry can link microphone-related library/API access to the same process that later writes files in user-accessible or temp paths.
  • Baseline legitimate microphone-using software to reduce false positives from conferencing clients, browser-based calls, voice recorders, accessibility tools, and collaboration applications.
  • Tune for unusual process names, unexpected parent-child process relationships, unsigned or uncommon binaries, or microphone access from applications with no business reason to record audio.
  • Review blind spots where endpoint tooling does not collect module loads, API access, file writes, or user-context events; lack of these data sources may prevent this analytic from being implemented as described.
  • Use alerts as triage leads rather than proof of malicious activity, since the supplied ATT&CK object does not provide detection logic, attribution, or confirmed malicious outcomes.

Mitigation priorities

  • Establish and maintain an approved inventory of Windows applications permitted to access microphones.
  • Use operating system, endpoint management, or application-control policies to restrict microphone access where business workflows do not require it.
  • Harden endpoint controls so unapproved or unknown processes are less able to execute and write files in user-accessible or temporary locations.
  • Ensure incident response playbooks include privacy-sensitive handling of suspected audio capture evidence and clear escalation paths for legal, HR, or executive stakeholders when appropriate.
  • Periodically test whether SOC telemetry and retention are sufficient to reconstruct process, library/API, user, and file-write activity relevant to microphone access.
Analyst notes and limits

This is a detection analytic object, not a full ATT&CK technique entry. The strongest defensive use is as a validation requirement: can the organization observe and explain microphone access on Windows endpoints, especially when followed by local audio file creation? Local baselining is essential because many legitimate tools use microphones and write temporary or user-accessible files.

The official object provides a short analytic description only. No official detection logic, tactics, relationships, aliases, or labels were supplied, and the only supported platform is Windows. This summary does not infer active exploitation, adversary attribution, business impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0619

Unusual or unauthorized processes accessing microphone APIs (e.g., winmm.dll, avrt.dll) followed by audio file writes to user-accessible or temp directories.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7ed1467a67c9de9d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7ed1467a67c9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0619
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use