Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Read MoreBy replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
Read MoreDetects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
Read MorePotential Suspicious Activity Using SeCEdit
Mar 5, 2023 · attack.discovery attack.persistence attack.defense_evasion attack.credential_access attack.privilege_escalation attack.t1562.002 attack.t1547.001 attack.t1505.005 attack.t1556.002 attack.t1562 attack.t1574.007 attack.t1564.002 attack.t1546.008 attack.t1546.007 attack.t1547.014 attack.t1547.010 attack.t1547.002 attack.t1557 attack.t1082 ·Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
Read MoreDetects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Read MoreDetects potential tampering with Windows Defender settings such as adding exclusion using wmic
Read MoreSticky Key Like Backdoor Usage - Registry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Read More