SigmaHQ/rules/windows/process_creation/win_susp_atbroker.yml

title: Suspicious Atbroker Execution
id: f24bcaea-0cd1-11eb-adc1-0242ac120002
description: Atbroker executing non-deafualt Assistive Technology applications
references:
    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
status: experimental
author: Mateusz Wydra, oscd.community
date: 2020/10/12
tags:
    - attack.defense_evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        - Image|endswith: 'AtBroker.exe'
    selection2:
        - CommandLine|contains: 'start'
    filter:
        - CommandLine|contains:
            - animations
            - audiodescription
            - caretbrowsing
            - caretwidth
            - colorfiltering
            - cursorscheme
            - filterkeys
            - focusborderheight
            - focusborderwidth
            - highcontrast
            - keyboardcues
            - keyboardpref
            - magnifierpane
            - messageduration
            - minimumhitradius
            - mousekeys
            - Narrator
            - osk
            - overlappedcontent
            - showsounds
            - soundsentry
            - stickykeys
            - togglekeys
            - windowarranging
            - windowtracking
            - windowtrackingtimeout
            - windowtrackingzorder
    condition: selection1 and selection2 and not filter
falsepositives:
    - Legitimate, non-default assistive technology applications execution
level: high