Merge pull request #1148 from sn0w0tter/oscd

[OSCD] LOLBAS atbroker suspicious execution of ATs
2024-11-07 09:48:58 +00:00 · 2020-10-13 11:45:07 +02:00 · 2020-10-13 11:45:07 +02:00 · acb02d8d65
commit acb02d8d65
parent 1684db93d8 863b880845
1 changed files with 53 additions and 0 deletions
--- a/rules/windows/process_creation/win_susp_atbroker.yml
+++ b/rules/windows/process_creation/win_susp_atbroker.yml
@ -0,0 +1,53 @@
 title: Suspicious Atbroker Execution
 id: f24bcaea-0cd1-11eb-adc1-0242ac120002
 description: Atbroker executing non-deafualt Assistive Technology applications
 references:
    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
 status: experimental
 author: Mateusz Wydra, oscd.community
 date: 2020/10/12
 tags:
    - attack.defense_evasion
    - attack.t1218
 logsource:
    category: process_creation
    product: windows
 detection:
    selection1:
        - Image|endswith: 'AtBroker.exe'
    selection2:
        - CommandLine|contains: 'start'
    filter:
        - CommandLine|contains:
            - animations
            - audiodescription
            - caretbrowsing
            - caretwidth
            - colorfiltering
            - cursorscheme
            - filterkeys
            - focusborderheight
            - focusborderwidth
            - highcontrast
            - keyboardcues
            - keyboardpref
            - magnifierpane
            - messageduration
            - minimumhitradius
            - mousekeys
            - Narrator
            - osk
            - overlappedcontent
            - showsounds
            - soundsentry
            - stickykeys
            - togglekeys
            - windowarranging
            - windowtracking
            - windowtrackingtimeout
            - windowtrackingzorder
    condition: selection1 and selection2 and not filter
 falsepositives:
    - Legitimate, non-deafualt Assistive Technology applications execution
 level: high