Suspicious Debugger Registration Cmdline
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Sigma rule (View on GitHub)
1title: Suspicious Debugger Registration Cmdline
2id: ae215552-081e-44c7-805f-be16f975c8a2
3status: test
4description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
5references:
6 - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
7 - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
8author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
9date: 2019-09-06
10modified: 2022-08-06
11tags:
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1546.008
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection1:
20 CommandLine|contains: '\CurrentVersion\Image File Execution Options\'
21 selection2:
22 CommandLine|contains:
23 - 'sethc.exe'
24 - 'utilman.exe'
25 - 'osk.exe'
26 - 'magnify.exe'
27 - 'narrator.exe'
28 - 'displayswitch.exe'
29 - 'atbroker.exe'
30 - 'HelpPane.exe'
31 condition: all of selection*
32falsepositives:
33 - Unknown
34level: high
References
-
Archived MSDN and TechNet Blogs Article 8/28/2023 If you were looking for MSDN or TechNet blogs, please know that MSDN and TechNet blog sites have been retired, and blog content has been migrated a...
Read More -
Related rules
- Potential Privilege Escalation Using Symlink Between Osk and Cmd
- Potential Suspicious Activity Using SeCEdit
- Sticky Key Like Backdoor Execution
- Sticky Key Like Backdoor Usage - Registry
- Abuse of Service Permissions to Hide Services Via Set-Service