Sticky Key Like Backdoor Execution

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Sigma rule (View on GitHub)

 1title: Sticky Key Like Backdoor Execution
 2id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
 3related:
 4    - id: baca5663-583c-45f9-b5dc-ea96a22ce542
 5      type: derived
 6status: test
 7description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
 8references:
 9    - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
10author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
11date: 2018/03/15
12modified: 2023/03/07
13tags:
14    - attack.privilege_escalation
15    - attack.persistence
16    - attack.t1546.008
17    - car.2014-11-003
18    - car.2014-11-008
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        ParentImage|endswith: '\winlogon.exe'
25        Image|endswith:
26            - '\cmd.exe'
27            - '\cscript.exe'
28            - '\mshta.exe'
29            - '\powershell.exe'
30            - '\pwsh.exe'
31            - '\regsvr32.exe'
32            - '\rundll32.exe'
33            - '\wscript.exe'
34            - '\wt.exe'
35        CommandLine|contains:
36            - 'sethc.exe'
37            - 'utilman.exe'
38            - 'osk.exe'
39            - 'Magnify.exe'
40            - 'Narrator.exe'
41            - 'DisplaySwitch.exe'
42    condition: selection
43falsepositives:
44    - Unlikely
45level: critical

References

Related rules

to-top