title: Atbroker Registry Change
id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
description: Detects creation/modification of Assisitive Technology applications and persistance with usage of ATs
author: Mateusz Wydra, oscd.community
references:
    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml
date: 2020/10/13
modified: 2021/05/24
tags:
    - attack.defense_evasion
    - attack.t1218
    - attack.persistence
    - attack.t1547
logsource:
    category: registry_event
    product: windows
detection:
    creation:
        TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
    persistance:
        TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
    condition: creation or persistance
falsepositives:
    - Creation of non-default, legitimate AT.
level: high