Uncommon Assistive Technology Applications Execution Via AtBroker.EXE

Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".

Sigma rule (View on GitHub)

 1title: Uncommon  Assistive Technology Applications Execution Via AtBroker.EXE
 2id: f24bcaea-0cd1-11eb-adc1-0242ac120002
 3status: test
 4description: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
 5references:
 6    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
 7    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
 8author: Mateusz Wydra, oscd.community
 9date: 2020-10-12
10modified: 2024-03-06
11tags:
12    - attack.defense-evasion
13    - attack.t1218
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\AtBroker.exe'
20        - OriginalFileName: 'AtBroker.exe'
21    selection_cli:
22        CommandLine|contains: 'start'
23    filter_main_builtin:
24        CommandLine|contains:
25            - 'animations'
26            - 'audiodescription'
27            - 'caretbrowsing'
28            - 'caretwidth'
29            - 'colorfiltering'
30            - 'cursorindicator'
31            - 'cursorscheme'
32            - 'filterkeys'
33            - 'focusborderheight'
34            - 'focusborderwidth'
35            - 'highcontrast'
36            - 'keyboardcues'
37            - 'keyboardpref'
38            - 'livecaptions'
39            - 'magnifierpane'
40            - 'messageduration'
41            - 'minimumhitradius'
42            - 'mousekeys'
43            - 'Narrator'
44            - 'osk'
45            - 'overlappedcontent'
46            - 'showsounds'
47            - 'soundsentry'
48            - 'speechreco'
49            - 'stickykeys'
50            - 'togglekeys'
51            - 'voiceaccess'
52            - 'windowarranging'
53            - 'windowtracking'
54            - 'windowtrackingtimeout'
55            - 'windowtrackingzorder'
56    filter_optional_java:
57        CommandLine|contains: 'Oracle_JavaAccessBridge'
58    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
59falsepositives:
60    - Legitimate, non-default assistive technology applications execution
61level: medium

References

Related rules

to-top