2018-03-15 18:53:34 +00:00
title : Sticky Key Like Backdoor Usage
2018-03-16 08:10:07 +00:00
description : Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
2018-03-15 18:53:34 +00:00
references :
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
2018-07-23 21:57:15 +00:00
tags :
2018-07-24 05:58:25 +00:00
- attack.privilege_escalation
2018-07-23 21:57:15 +00:00
- attack.persistence
- attack.t1015
2018-03-19 15:36:15 +00:00
author : Florian Roth, @twjackomo
2018-03-15 18:53:34 +00:00
date : 2018 /03/15
logsource :
product : windows
service : sysmon
detection :
2018-03-16 08:10:07 +00:00
selection_process :
2018-03-15 18:53:34 +00:00
EventID : 1
ParentImage :
- '*\winlogon.exe'
CommandLine :
- '*\cmd.exe sethc.exe *'
- '*\cmd.exe utilman.exe *'
- '*\cmd.exe osk.exe *'
2018-03-16 09:52:43 +00:00
- '*\cmd.exe Magnify.exe *'
- '*\cmd.exe Narrator.exe *'
- '*\cmd.exe DisplaySwitch.exe *'
2018-03-16 08:10:07 +00:00
selection_registry :
EventID : 13
TargetObject :
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
2018-03-16 09:52:43 +00:00
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
2018-03-16 08:10:07 +00:00
EventType : 'SetValue'
condition : 1 of them
2018-03-15 18:53:34 +00:00
falsepositives :
- Unlikely
level : critical