Suspicious LOLBIN AccCheckConsole
Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL
Sigma rule (View on GitHub)
1title: Suspicious LOLBIN AccCheckConsole
2id: 0f6da907-5854-4be6-859a-e9958747b0aa
3status: test
4description: Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL
5references:
6 - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
7 - https://twitter.com/bohops/status/1477717351017680899?s=12
8 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
9author: Florian Roth (Nextron Systems)
10date: 2022/01/06
11tags:
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\AccCheckConsole.exe'
19 - OriginalFileName: 'AccCheckConsole.exe'
20 selection_cli:
21 CommandLine|contains|all:
22 - ' -window '
23 - '.dll'
24 condition: all of selection*
25falsepositives:
26 - Legitimate use of the UI Accessibility Checker
27level: high
References
Related rules
- Antivirus Exploitation Framework Detection
- CobaltStrike Service Installations - Security
- DLL Load via LSASS
- Equation Group Indicators
- Flash Player Update from Suspicious Location