Merge pull request #71 from Karneades/patch-1

Add missing binaries

rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml

@@ -16,12 +16,18 @@ detection:
             - '*\cmd.exe sethc.exe *'
             - '*\cmd.exe utilman.exe *'
             - '*\cmd.exe osk.exe *'
+            - '*\cmd.exe Magnify.exe *'
+            - '*\cmd.exe Narrator.exe *'
+            - '*\cmd.exe DisplaySwitch.exe *'
     selection_registry:
         EventID: 13
         TargetObject: 
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
         EventType: 'SetValue'
     condition: 1 of them
 falsepositives: