Sticky Key Like Backdoor Usage - Registry

 1title: Sticky Key Like Backdoor Usage - Registry
 2id: baca5663-583c-45f9-b5dc-ea96a22ce542
 3status: test
 4description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
 5references:
 6    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
 7    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
 8author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
 9date: 2018-03-15
10modified: 2022-11-26
11tags:
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.t1546.008
15    - car.2014-11-003
16    - car.2014-11-008
17logsource:
18    category: registry_event
19    product: windows
20detection:
21    selection_registry:
22        TargetObject|endswith:
23            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
24            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
25            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
26            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
27            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
28            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
29            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger'
30            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger'
31    condition: selection_registry
32falsepositives:
33    - Unlikely
34level: critical