This detection rule identifies potential unauthorized access to the microphone and webcam on Windows endpoints. The rule looks for specific Event IDs that correlate with changes in security access permissions to the capability access settings for both microphone and webcam devices. These settings are found in the Windows Registry path related to the Capability Access Manager's Consent Store for non-packaged applications. Adversaries could exploit these capabilities to spy on users or extract sensitive information without consent. By monitoring the mentioned Event IDs—4656, 4657, and 4663—this rule can alert security teams to potentially malicious activities aiming to access these critical privacy devices.