Potential DLL Injection Via AccCheckConsole
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
Sigma rule (View on GitHub)
1title: Potential DLL Injection Via AccCheckConsole
2id: 0f6da907-5854-4be6-859a-e9958747b0aa
3status: test
4description: |
5 Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI.
6 One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc.
7 The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
8references:
9 - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
10 - https://twitter.com/bohops/status/1477717351017680899?s=12
11 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
12author: Florian Roth (Nextron Systems)
13date: 2022-01-06
14modified: 2024-08-29
15tags:
16 - attack.execution
17 - detection.threat-hunting
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\AccCheckConsole.exe'
24 - OriginalFileName: 'AccCheckConsole.exe'
25 selection_cli:
26 CommandLine|contains:
27 - ' -hwnd'
28 - ' -process '
29 - ' -window '
30 condition: all of selection_*
31falsepositives:
32 - Legitimate use of the UI Accessibility Checker
33level: medium
References
-
AccChecker LOLBIN [AccCheckConsole.exe]. GitHub Gist: instantly share code, notes, and snippets.
Read More -
Related rules
- Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
- Windows Binary Executed From WSL
- Wusa.EXE Executed By Parent Process Located In Suspicious Location
- Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- Suspicious File Download From File Sharing Domain Via Curl.EXE