The ConsentStore in CapabilityAccessManager can provide insight to
what resources binaries have had access to, such as the microphone
and webcam. This artefact returns non-Microsoft executables (ie:
entries listed in the NonPackaged path).
Additional Resources:
Tags: #windows #registry
name: Windows.Registry.CapabilityAccessManager
description: |
The ConsentStore in CapabilityAccessManager can provide insight to
what resources binaries have had access to, such as the microphone
and webcam. This artefact returns non-Microsoft executables (ie:
entries listed in the `NonPackaged` path).
Additional Resources:
* https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
* https://thinkdfir.com/2022/01/04/i-can-see-and-hear-you-seeing-and-hearing-me/
Tags: #windows #registry
author: Zach Stanford - @svch0st, Phill Moore - @phillmoore
type: CLIENT
parameters:
- name: KeyList
description: List of reg locations and descriptions
type: csv
default: |
Glob,Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\*\NonPackaged\*, SoftwareHive
HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\*\NonPackaged\*, UserHive
sources:
- queries:
- |
SELECT * FROM foreach(
row=KeyList,
query={
SELECT Description as SourceLocation,
path_split(path=FullPath)[-3] as Accessed,
regex_replace(source=basename(path=FullPath), re="#", replace="/") as Program,
{SELECT timestamp(winfiletime=atoi(string=Data.value)) FROM glob(globs=FullPath+'\\LastUsedTimeStart', accessor="reg")} as LastUsedTimeStart,
{SELECT timestamp(winfiletime=atoi(string=Data.value)) FROM glob(globs=FullPath+'\\LastUsedTimeStop', accessor="reg")} as LastUsedTimeStop,
dirname(path=FullPath) as KeyPath
FROM glob(globs=Glob, accessor="reg")
Where NOT Program = "Value"
}
)