Suspicious Debugger Registration Cmdline

 1title: Suspicious Debugger Registration Cmdline
 2id: ae215552-081e-44c7-805f-be16f975c8a2
 3status: test
 4description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
 5references:
 6    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
 7    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
 8author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
 9date: 2019/09/06
10modified: 2022/08/06
11tags:
12    - attack.persistence
13    - attack.privilege_escalation
14    - attack.t1546.008
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection1:
20        CommandLine|contains: '\CurrentVersion\Image File Execution Options\'
21    selection2:
22        CommandLine|contains:
23            - 'sethc.exe'
24            - 'utilman.exe'
25            - 'osk.exe'
26            - 'magnify.exe'
27            - 'narrator.exe'
28            - 'displayswitch.exe'
29            - 'atbroker.exe'
30            - 'HelpPane.exe'
31    condition: all of selection*
32falsepositives:
33    - Unknown
34level: high

References

• Archived MSDN and TechNet Blogs

  

  Archived MSDN and TechNet Blogs Article 8/28/2023 If you were looking for MSDN or TechNet blogs, please know that MSDN and TechNet blog sites have been retired, and blog content has been migrated a...

  
  Read More

• MalwareBazaar | Browse Checking your browser

  Please confirm that you are not a robot by clicking on the checkbox below

  
  Read More

Related rules

• New Service Creation Using PowerShell
• New Service Creation Using Sc.EXE
• Suspicious Service Path Modification
• Powerup Write Hijack DLL
• Possible Privilege Escalation via Weak Service Permissions