Potential Privilege Escalation Using Symlink Between Osk and Cmd

Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.

Sigma rule (View on GitHub)

 1title: Potential Privilege Escalation Using Symlink Between Osk and Cmd
 2id: e9b61244-893f-427c-b287-3e708f321c6b
 3status: test
 4description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md
 7    - https://ss64.com/nt/mklink.html
 8author: frack113
 9date: 2022/12/11
10modified: 2022/12/20
11tags:
12    - attack.privilege_escalation
13    - attack.persistence
14    - attack.t1546.008
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_img:
20        - Image|endswith: '\cmd.exe'
21        - OriginalFileName: 'Cmd.Exe'
22    selection_cli:
23        CommandLine|contains|all:
24            - 'mklink'
25            - '\osk.exe'
26            - '\cmd.exe'
27    condition: all of selection_*
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top