PCYBOX Orbis: The Open-Source Watchdog That Exposes Every Hidden Mic Access and Data Exfiltration on Your Windows PC + Video

By /

Listen to this Post

Featured Image

Introduction:

Modern malware and even legitimate applications can secretly access your microphone, camera, and network stack to record conversations or exfiltrate sensitive data without any visible indicator. PCYBOX Orbis is a free, open-source (AGPL v3) Windows tool that provides real-time visibility into which process is using your mic or camera, ties that access to outbound network traffic, and raises a critical alert the moment an app sends data externally while recording.

Learning Objectives:

  • Detect real-time microphone and camera access attempts and correlate them with outbound exfiltration traffic.
  • Use kernel‑level port capture filtering and process attribution to identify hidden trackers and beacons.
  • Export network flow data to JSON/CSV for forensic analysis, and implement complementary hardening commands on Windows and Linux.

You Should Know:

1. Real‑Time Microphone/Camera Surveillance with Exfiltration Alerting

PCYBOX Orbis addresses a question raised by Jean‑Sebastien Mancebo: “Can we know which app is using our microphone right now and if that conversation is being exfiltrated to ad agencies?” The tool displays a live badge as soon as any application accesses the mic or camera. If that same app sends data to an external IP at the same moment, Orbis triggers an immediate critical alert—because that behavior exactly matches what a recording+exfiltration malware does.

Step‑by‑step guide to use this feature:

  1. Download the latest release from the GitHub repository and run the executable (no installation required on Windows 10/11).
  2. In the main dashboard, look for the Microphone/Camera badge – it shows which process currently has access (e.g., zoom.exe, chrome.exe, or a malicious powershell.exe).
  3. Simultaneously, the Network graph displays outbound connections from that process with destination IPs and ports.
  4. If Orbis detects that the process with mic/camera access is also sending packets outside, a red “Critical: Potential Exfiltration” banner appears. Click it to see the exact data flow.

You can complement this with manual Windows commands to verify processes:

 List processes currently using the microphone (Windows 10/11)
Get-Process | Where-Object { $<em>.Modules -like "audiodg" -or $</em>.MainWindowTitle -like "microphone" }

Monitor active network connections with process IDs
netstat -anob | findstr "ESTABLISHED"

Real-time connection logging using PowerShell
Get-NetTCPConnection | Where-Object { $_.State -eq "Established" } | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess

2. Kernel‑Level Port Capture Filtering and Process Attribution

One of Orbis’s advanced features, contributed by Ibrahima Ba, is a kernel‑level filter that captures traffic by port and directly attributes packets to the originating process – bypassing user‑mode hooks that malware can easily evade. This provides a tamper‑resistant source of truth.

Step‑by‑step guide to configure and validate kernel filtering:

  1. In Orbis, navigate to Settings → Capture Filter.
  2. Choose to filter by specific ports (e.g., 443, 53, 80, or custom ports used by ad trackers like 8080, 8443).
  3. Enable “Kernel Mode Capture” (requires administrator privileges). The tool uses Windows Filtering Platform (WFP) to inspect packets before they reach userland.
  4. Return to the Network Graph – you will see that even if a process tries to hide its traffic by using raw sockets or obfuscated DLLs, Orbis still shows the true PID and process path.

5. To test, simulate a hidden connection:

 Launch a hidden PowerShell instance that connects to a remote server
powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'http://example.com' -UseBasicParsing"

Orbis will immediately reveal the hidden powershell.exe process and its outbound request.

For Linux users analyzing similar behavior (e.g., on a network gateway), use these commands to attribute traffic to processes:

 Show which process is using a specific port (e.g., 443)
sudo ss -tulpn | grep ':443'

Real-time process attribution with netstat
sudo netstat -tunap | grep ESTABLISHED

Monitor new outbound connections per minute
watch -n 1 'ss -tunap | grep EST'

3. Anomaly Detection Using DNS Beacon Filtering

Laurent M. provided technical feedback to correctly filter legitimate DNS resolvers, preventing false positives. Orbis now distinguishes between normal DNS traffic (to your configured ISP or corporate resolver) and suspicious beaconing to malicious domains. It then calculates a Privacy Score based on the volume of trackers contacted.

Step‑by‑step guide to leverage DNS anomaly detection:

1. Open the Anomaly Detection tab in Orbis.

  1. Review the “Known Trackers” list – the tool maintains a local blocklist of ad/malware domains (can be updated via GitHub).
  2. Any DNS query to a tracker triggers a “Tracker Contact” alert. Multiple rapid queries to new domains lower the privacy score.

4. To test, simulate beaconing:

 DNS beacon simulation to a known tracker (example only)
Resolve-DnsName -Name "doubleclick.net" -Type A

Orbis will log this event, show the source process (powershell.exe), and mark it as a tracker.
5. Use the Export button to save the beacon log as JSON for integration with SIEMs.

For advanced users, combine with a local DNS sinkhole:

 On Linux (pihole or dnsmasq), log all queries from Windows clients
sudo tcpdump -i eth0 -n port 53 and host windows_client_ip

4. Exporting Network Data for Forensic Analysis (JSON/CSV)

Orbis provides one‑click export of all captured network flows, mic/camera access events, and anomaly alerts. This is essential for incident responders and threat hunters who need to analyze patterns over time or correlate with other logs.

Step‑by‑step guide to export and analyze:

  1. After letting Orbis run for a period (e.g., 1 hour of normal browsing), click File → Export.
  2. Choose format: JSON (structured, great for Python scripts) or CSV (compatible with Excel, Splunk, etc.).

3. Save the file. Example JSON entry:

{
"timestamp": "2025-03-15T14:23:10Z",
"process": "chrome.exe",
"pid": 2345,
"local_port": 52134,
"remote_ip": "185.199.108.153",
"remote_port": 443,
"bytes_sent": 1250,
"mic_access": false,
"camera_access": false,
"is_tracker": true
}

4. Use a Python script to detect exfiltration patterns:

import json
with open('export.json', 'r') as f:
data = [json.loads(line) for line in f]
suspicious = [e for e in data if e['mic_access'] and e['bytes_sent'] > 10000]
print(f"Found {len(suspicious)} potential exfiltration events")

5. For Windows forensic timelines, load the CSV into Timeline Explorer or LogParser.

  1. Hardening Windows Against Unauthorized Mic/Camera and Network Access

While Orbis detects abuse, you should also harden your system to prevent unauthorized access in the first place. Below are complementary commands and Group Policy settings.

Step‑by‑step guide to harden Windows:

  1. Disable microphone access for all apps except trusted ones:

– Open Settings → Privacy & Security → Microphone.
– Turn off “Let apps access your microphone”.
– Override per-app (allow only Zoom, Teams, etc.) using registry:

 Disable microphone for all non-Store apps
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" -Name "Value" -Type String -Value "Deny"

2. Create a Windows Firewall rule to log outbound connections from untrusted processes:

New-NetFirewallRule -DisplayName "Log Outbound from Temp" -Direction Outbound -Program "C:\Users\AppData\Local\Temp\" -Action Allow -Enabled True -Profile Any
 Then enable firewall logging
netsh advfirewall set currentprofile logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log

3. Use Process Monitor (ProcMon) to filter microphone driver access:
– Download Sysinternals ProcMon.
– Add a filter: Path contains “audio.sys” then Include.
– Run Orbis alongside to cross‑verify.

For Linux users investigating remote exfiltration from a Windows machine, run a network capture on a gateway:

 Capture all traffic from Windows IP and write to PCAP
sudo tcpdump -i eth0 -s 1500 -w exfiltration.pcap host 192.168.1.100
 Then analyze with Wireshark or tshark
tshark -r exfiltration.pcap -Y "dns.qry.name contains \"tracker\""
  1. Simulating an Exfiltration Malware to Test Orbis’s Critical Alert

To fully appreciate Orbis’s capability, you can create a harmless simulation that records a dummy audio sample (via a loopback device) and sends it to a test server. Do this only in a controlled lab environment.

Step‑by‑step guide (Windows lab only):

  1. Install a virtual audio cable (e.g., VB-Cable) to simulate mic input.

2. Write a PowerShell script that:

  • Captures audio using `[System.Media.SoundRecorder]` (simulate).
  • Sends a UDP packet to a test remote IP (e.g., 127.0.0.1 for local testing). 
    Simulate exfiltration (ethical test)
$testRemote = "127.0.0.1"
$udpClient = New-Object System.Net.Sockets.UdpClient
$bytes = [System.Text.Encoding]::ASCII.GetBytes("Simulated recorded data")
$udpClient.Send($bytes, $bytes.Length, $testRemote, 12345)
$udpClient.Close()

3. Run this script while Orbis is active.

  • Orbis will show the script’s process (powershell.exe) accessing the virtual mic.
  • The moment the UDP packet leaves, the Critical Alert triggers.
  1. Verify the alert contains the PID, process name, remote IP/port, and the fact that mic was accessed within the same second.

This simulation proves how Orbis distinguishes between legitimate streaming (e.g., web conferencing) where mic access and outbound traffic are normal, versus a silent recording that exfiltrates without user interface.

  1. Integrating Orbis with Cloud and API Security Monitoring

For IT professionals managing cloud workloads, the principle of “process attribution + data exfiltration detection” applies to API security and cloud hardening. While Orbis runs on Windows endpoints, you can extend its philosophy to cloud environments using open‑source tooling like Falco (for runtime security) or custom eBPF agents.

Step‑by‑step guide to apply Orbis concepts to cloud APIs:
1. Detect API key exfiltration – Use Orbis on a jump box to monitor any process that reads `/.aws/credentials` and immediately connects to an external IP. For Linux cloud VMs, implement:

 Monitor file access to secrets and outgoing connections
sudo auditctl -w /home/user/.aws/credentials -p r -k aws_keys
sudo ausearch -k aws_keys --format text | while read line; do ss -tunap | grep EST; done

2. Implement eBPF-based process attribution on Kubernetes nodes using Tetragon or Cilium:

 Tetragon tracing policy to detect process reading /etc/kubernetes/secrets and making egress connection
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "exfiltration-detect"
spec:
kprobes:
- call: "sys_write"
syscall: true
args:
- index: 0
type: "fd"

3. Cloud hardening – Use Orbis on a Windows admin workstation to monitor RDP or SSH sessions that attempt to copy files to cloud storage (Dropbox, AWS S3) while the mic is active – a rare but possible insider threat vector.

What Undercode Say:

  • Key Takeaway 1: PCYBOX Orbis bridges a critical gap in endpoint visibility by correlating physical sensor access (mic/camera) with network egress in real time. Most EDRs detect malware signatures or beaconing patterns, but few answer the simple question: “Is this app sending my recorded voice to an ad network right now?” Orbis provides that answer with open-source transparency.
  • Key Takeaway 2: Kernel‑level filtering and community-driven improvements (like DNS resolver whitelisting) make Orbis a reliable, tamper‑resistant tool for both average users and security analysts. Its AGPL v3 license ensures that organizations can audit, modify, and contribute to the detection logic – a vital feature when dealing with zero‑day exfiltration techniques.

Analysis: The rise of “surveillance capitalism” and government‑grade spyware (e.g., Pegasus, Predator) that silently activate microphones has created an urgent need for tools that democratize forensic visibility. Orbis addresses this by lowering the barrier to entry – no expensive EDR license required. However, its current Windows‑only limitation leaves macOS and Linux users dependent on manual scripts. The project’s rapid iteration (5 features added in one week, all from community feedback) shows a healthy open‑source model. Future integrations with Wireshark dissectors or Sysmon event logs would make Orbis a powerhouse for threat hunting.

Prediction:

Within 18 months, similar “sensor-to-egress correlation” features will become standard in consumer antivirus products and enterprise EDRs, especially as AI‑generated voice cloning makes mic access a high‑value target for social engineering. Regulatory bodies (e.g., GDPR, CCPA) may mandate such visibility for any software that handles voice data. PCYBOX Orbis, as an early pioneer, could evolve into a cross‑platform framework using eBPF on Linux and Endpoint Security Framework on macOS, forcing proprietary vendors to adopt transparent exfiltration alerts – ultimately giving users back control over their own microphones and cameras.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Ibrahima Samb – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: