This detection rule identifies processes that access the camera and microphone from suspicious locations within the Windows registry. The rule targets registry events related to specific capability access identifiers, looking for instances where processes try to access microphone or webcam functionalities from unusual or temporary directories. The logic is built around three selection criteria: (1) verifying if the registry path indicates an access manager consent store for camera and microphone interactions, (2) confirming the type of access involves either a microphone or a webcam, and (3) identifying if this access is being performed from temporary folders or common folders like the Recycle Bin or User Public folders. The combination of these conditions forms a strong indicator of potentially malicious activity or misuse of hardware access functionalities. Given the increasing concerns around privacy and surveillance through unauthorized access to devices, this rule provides a proactive mechanism to flag and help mitigate such risks.