Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0221: Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS

DET0221 is a MITRE detection strategy object for detecting Audio Capture (T1123), where adversaries may use microphones, webcams, or communications applica...

EnterpriseDET0221Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0221 is a MITRE detection strategy object for detecting Audio Capture (T1123), where adversaries may use microphones, webcams, or communications applications to record sensitive conversations on Windows, Linux, or macOS systems. The business significance is not just privacy loss: recorded executive, legal, operational, or customer conversations can undermine incident response, negotiations, regulated-data handling, and physical or cyber-physical security discussions if compromised.

Executive priority

Security leaders should treat audio-capture detection as a control validation question: do endpoint, privacy, and monitoring programs provide evidence when software accesses recording devices or creates suspicious audio artifacts? This matters for executive communications, regulated environments, hybrid-work endpoints, and high-sensitivity roles. Because the supplied ATT&CK object has no official detection text, leaders should avoid assuming coverage from generic EDR deployment alone and should request proof of telemetry, alert logic, investigation procedures, and exception handling across Windows, Linux, and macOS where those platforms are in scope.

Technical view

SOC, detection engineering, and IR teams should validate coverage against T1123 Audio Capture in the collection tactic. Practical validation should focus on endpoint evidence of processes interacting with audio-capable peripherals or OS/application audio APIs, creation of audio files, and follow-on handling of those files where locally observable. Teams should account for legitimate use by conferencing, browser, accessibility, recording, and collaboration tools, and should tune around expected business applications while preserving visibility into unusual processes, unexpected parent-child process context, abnormal file locations, or activity on systems and users that should not record audio.

Likely telemetry

  • Endpoint process execution and parent-child process context on Windows, Linux, and macOS
  • Operating system or endpoint security events related to microphone or audio device access, where available
  • Application permission, privacy, or device-access logs for microphone-capable applications, where available
  • File creation or modification events for audio recording formats and temporary media files
  • Peripheral/device inventory and configuration data for systems with microphones or webcams

Detection direction

  • Confirm whether telemetry exists for microphone/audio-device access on each supported operating system in the local environment; do not assume parity across Windows, Linux, and macOS.
  • Baseline legitimate audio use by approved collaboration, browser, meeting, call-center, accessibility, and recording applications to reduce false positives.
  • Prioritize alerts where audio-device access or audio-file creation is performed by unusual binaries, scripts, unsigned or untrusted processes, unexpected service accounts, or processes running from temporary/user-writable paths.
  • Correlate audio capture indicators with file staging or later transfer evidence when available, since the related technique notes that audio files may be written to disk and exfiltrated later.
  • Add context for high-risk users and systems, such as executives, legal, finance, security operations, industrial operations, or rooms/endpoints used for sensitive conversations.

Mitigation priorities

  • Inventory systems and applications that legitimately require microphone access, then remove or restrict unnecessary access where business processes allow.
  • Use operating system privacy and application permission controls to limit microphone access to approved applications and users.
  • Harden endpoints so unapproved scripts or applications are less likely to execute and interact with audio devices.
  • Ensure endpoint logging, file monitoring, and investigation playbooks include audio-capture scenarios across Windows, Linux, and macOS assets in scope.
  • For sensitive roles or environments, pair technical controls with policy, user awareness, and physical meeting hygiene, especially where confidential conversations occur near endpoint microphones.
Analyst notes and limits

This take is based on the supplied MITRE detection strategy object DET0221 and its relationship to T1123 Audio Capture. The related technique places the behavior in the collection tactic and identifies Windows, Linux, and macOS as related platforms. The most useful local work is to prove whether endpoint and application telemetry can show microphone access and suspicious audio-file creation, then tune detections around legitimate business audio use.

The DET0221 object supplied here has no official description, no official detection content, and no platform or tactic fields of its own. Platform and tactic context comes from the relationship to T1123 Audio Capture. This summary does not claim active exploitation, attribution, impact, or guaranteed detection coverage; local environment telemetry and control validation are required.

Official MITRE ATT&CK definition

Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1123 Audio Capture This object detects Audio Capture.
Relationship explorer

All related ATT&CK context

detects · Technique T1123: Audio Capture Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7c36c238053cbdf9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7c36c238053c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0221
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use