Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Sigma rule (View on GitHub)
1title: Sticky Key Like Backdoor Execution
2id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
3related:
4 - id: baca5663-583c-45f9-b5dc-ea96a22ce542
5 type: derived
6status: test
7description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
8references:
9 - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
10author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
11date: 2018-03-15
12modified: 2023-03-07
13tags:
14 - attack.privilege-escalation
15 - attack.persistence
16 - attack.t1546.008
17 - car.2014-11-003
18 - car.2014-11-008
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 ParentImage|endswith: '\winlogon.exe'
25 Image|endswith:
26 - '\cmd.exe'
27 - '\cscript.exe'
28 - '\mshta.exe'
29 - '\powershell.exe'
30 - '\pwsh.exe'
31 - '\regsvr32.exe'
32 - '\rundll32.exe'
33 - '\wscript.exe'
34 - '\wt.exe'
35 CommandLine|contains:
36 - 'sethc.exe'
37 - 'utilman.exe'
38 - 'osk.exe'
39 - 'Magnify.exe'
40 - 'Narrator.exe'
41 - 'DisplaySwitch.exe'
42 condition: selection
43falsepositives:
44 - Unlikely
45level: critical
References
Related rules
- Sticky Key Like Backdoor Usage - Registry
- Potential Privilege Escalation Using Symlink Between Osk and Cmd
- Potential Suspicious Activity Using SeCEdit
- Suspicious Debugger Registration Cmdline
- Abuse of Service Permissions to Hide Services Via Set-Service