rule: debugger registration

2024-11-08 02:08:54 +00:00 · 2019-09-06 10:08:09 +02:00 · 2019-09-06 10:08:09 +02:00 · 27f875755f
commit 27f875755f
parent c81d3bf56c
1 changed files with 40 additions and 0 deletions
--- a/rules/windows/sysmon/sysmon_reg_debugger_backdoor.yml
+++ b/rules/windows/sysmon/sysmon_reg_debugger_backdoor.yml
@ -0,0 +1,40 @@
+title: Suspicious Debugger Registration
+status: experimental
+description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor)
+references: 
+    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1015
+author: Florian Roth
+date: 2019/09/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection_proc:
+        EventID: 1
+        CommandLine:
+            - '*\CurrentVersion\Image File Execution Options\sethc.exe*'
+            - '*\CurrentVersion\Image File Execution Options\utilman.exe*'
+            - '*\CurrentVersion\Image File Execution Options\osk.exe*'
+            - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
+            - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
+            - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
+    selection_reg:
+        EventID:
+            - 12
+            - 13
+        TargetObject: 
+            - '*\CurrentVersion\Image File Execution Options\sethc.exe*'
+            - '*\CurrentVersion\Image File Execution Options\utilman.exe*'
+            - '*\CurrentVersion\Image File Execution Options\osk.exe*'
+            - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
+            - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
+            - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
+    condition: selection_proc or selection_reg
+falsepositives:
+    - Penetration Tests
+level: high
+