Potential Privilege Escalation Using Symlink Between Osk and Cmd
Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
Sigma rule (View on GitHub)
1title: Potential Privilege Escalation Using Symlink Between Osk and Cmd
2id: e9b61244-893f-427c-b287-3e708f321c6b
3status: test
4description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md
7 - https://ss64.com/nt/mklink.html
8author: frack113
9date: 2022-12-11
10modified: 2022-12-20
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1546.008
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_img:
20 - Image|endswith: '\cmd.exe'
21 - OriginalFileName: 'Cmd.Exe'
22 selection_cli:
23 CommandLine|contains|all:
24 - 'mklink'
25 - '\osk.exe'
26 - '\cmd.exe'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
MKLink Create a symbolic link to a directory or a file, or create a hard file link or directory junction. Syntax MKLINK [[/D] | [/H] | [/J]] LinkName Target Key: /D Create a Directory symbolic link...
Read More
Related rules
- Potential Suspicious Activity Using SeCEdit
- Sticky Key Like Backdoor Execution
- Sticky Key Like Backdoor Usage - Registry
- Suspicious Debugger Registration Cmdline
- Abuse of Service Permissions to Hide Services Via Set-Service