Potential Privilege Escalation Using Symlink Between Osk and Cmd
Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
Sigma rule (View on GitHub)
1title: Potential Privilege Escalation Using Symlink Between Osk and Cmd
2id: e9b61244-893f-427c-b287-3e708f321c6b
3status: experimental
4description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md
7 - https://ss64.com/nt/mklink.html
8author: frack113
9date: 2022/12/11
10modified: 2022/12/20
11tags:
12 - attack.privilege_escalation
13 - attack.persistence
14 - attack.t1546.008
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_img:
20 - Image|endswith: '\cmd.exe'
21 - OriginalFileName: 'Cmd.Exe'
22 selection_cli:
23 CommandLine|contains|all:
24 - 'mklink'
25 - '\osk.exe'
26 - '\cmd.exe'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- Sticky Key Like Backdoor Execution
- Potential Suspicious Activity Using SeCEdit
- Suspicious Debugger Registration Cmdline
- Sticky Key Like Backdoor Usage - Registry
- HackTool - CrackMapExec Execution