Accessibility features in Windows OS can be launched with a key combination before a user logs in. An attacker can modify the way these programs are launched to use services like Command Prompt or Backdoor without even logging into the system.
There are two most common accessibility programs
- C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and
- C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed.
This feature can be used to maintain persistence and elevation of system privilege. This should, therefore, be monitored always.
Data Sources
Sysmon: Process and Registry Monitoring (event id 1, 12 and 13)Windows: Process Monitoring (event id 4688)
Logic:
process WHERE (parent_process_name = "setchc.exe" OR parent_process_name = "osk.exe" OR parent_process_name = "utilman.exe" OR parent_process_name = "Magnify.exe" OR parent_process_name = "DisplaySwitch.exe" OR parent_process_name = "AtBroker.exe") OR (process_name = "setchc.exe" OR process_name = "osk.exe" OR process_name = "utilman.exe" OR process_name = "Magnify.exe" OR process_name = "DisplaySwitch.exe" OR process_name = "AtBroker.exe") AND target_object CONTAINS ('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' AND 'Debugger')
No comments:
Post a Comment