Windows.Registry.CapabilityAccessManager

The ConsentStore in CapabilityAccessManager can provide insight to what resources binaries have had access to, such as the microphone and webcam. This artefact returns non-Microsoft executables (ie: entries listed in the NonPackaged path).

Additional Resources:

Tags: #windows #registry


name: Windows.Registry.CapabilityAccessManager
description: |
    The ConsentStore in CapabilityAccessManager can provide insight to
    what resources binaries have had access to, such as the microphone
    and webcam. This artefact returns non-Microsoft executables (ie:
    entries listed in the `NonPackaged` path).

    Additional Resources:

    * https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
    * https://thinkdfir.com/2022/01/04/i-can-see-and-hear-you-seeing-and-hearing-me/

    Tags: #windows #registry

author: Zach Stanford - @svch0st, Phill Moore - @phillmoore
type: CLIENT

parameters:
  - name: KeyList
    description: List of reg locations and descriptions
    type: csv
    default: |
        Glob,Description
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\*\NonPackaged\*, SoftwareHive
        HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\*\NonPackaged\*, UserHive
sources:
    - queries:
        - |

            SELECT * FROM foreach(
                row=KeyList,
                query={
                    SELECT Description as SourceLocation,
                        path_split(path=FullPath)[-3] as Accessed,
                        regex_replace(source=basename(path=FullPath), re="#", replace="/") as Program,
                        {SELECT timestamp(winfiletime=atoi(string=Data.value)) FROM glob(globs=FullPath+'\\LastUsedTimeStart', accessor="reg")} as LastUsedTimeStart,
                        {SELECT timestamp(winfiletime=atoi(string=Data.value)) FROM glob(globs=FullPath+'\\LastUsedTimeStop', accessor="reg")} as LastUsedTimeStop,
                        dirname(path=FullPath) as KeyPath
                    FROM glob(globs=Glob, accessor="reg")
                    Where NOT Program = "Value"
                }
            )