mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
865d971704
Example command line is exactly "cmd.exe sethc.exe 211". => the detection with *\cmd.exe... would not match.
48 lines
1.8 KiB
YAML
48 lines
1.8 KiB
YAML
---
|
|
action: global
|
|
title: Sticky Key Like Backdoor Usage
|
|
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
|
|
references:
|
|
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.persistence
|
|
- attack.t1015
|
|
author: Florian Roth, @twjackomo
|
|
date: 2018/03/15
|
|
detection:
|
|
condition: 1 of them
|
|
falsepositives:
|
|
- Unlikely
|
|
level: critical
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection_registry:
|
|
EventID: 13
|
|
TargetObject:
|
|
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
|
|
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
|
|
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
|
|
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
|
|
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
|
|
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
|
|
EventType: 'SetValue'
|
|
---
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_process:
|
|
ParentImage:
|
|
- '*\winlogon.exe'
|
|
CommandLine:
|
|
- '*cmd.exe sethc.exe *'
|
|
- '*cmd.exe utilman.exe *'
|
|
- '*cmd.exe osk.exe *'
|
|
- '*cmd.exe Magnify.exe *'
|
|
- '*cmd.exe Narrator.exe *'
|
|
- '*cmd.exe DisplaySwitch.exe *'
|