LoFP LoFP / unlikely, there could be conferencing software running from a temp folder accessing the devices

Techniques

Sample rules

Suspicious Camera and Microphone Access

Description

Detects Processes accessing the camera and microphone from suspicious folder

Detection logic

condition: all of selection_*
selection_1:
  TargetObject|contains|all:
  - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\
  - \NonPackaged
selection_2:
  TargetObject|contains:
  - microphone
  - webcam
selection_3:
  TargetObject|contains:
  - :#Windows#Temp#
  - :#$Recycle.bin#
  - :#Temp#
  - :#Users#Public#
  - :#Users#Default#
  - :#Users#Desktop#