Potential DLL Injection Via AccCheckConsole
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
Sigma rule (View on GitHub)
1title: Potential DLL Injection Via AccCheckConsole
2id: 0f6da907-5854-4be6-859a-e9958747b0aa
3status: test
4description: |
5 Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI.
6 One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc.
7 The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
8references:
9 - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
10 - https://twitter.com/bohops/status/1477717351017680899?s=12
11 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
12author: Florian Roth (Nextron Systems)
13date: 2022-01-06
14modified: 2024-08-29
15tags:
16 - attack.execution
17 - detection.threat-hunting
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\AccCheckConsole.exe'
24 - OriginalFileName: 'AccCheckConsole.exe'
25 selection_cli:
26 CommandLine|contains:
27 - ' -hwnd'
28 - ' -process '
29 - ' -window '
30 condition: all of selection_*
31falsepositives:
32 - Legitimate use of the UI Accessibility Checker
33level: medium
References
-
AccChecker LOLBIN [AccCheckConsole.exe]. GitHub Gist: instantly share code, notes, and snippets.
Read More -
AccCheckConsole.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
- Windows Binary Executed From WSL
- Wusa.EXE Executed By Parent Process Located In Suspicious Location
- Data Export From MSSQL Table Via BCP.EXE
- Potentially Suspicious Rundll32.EXE Execution of UDL File