detection.wiki

ATT&CK coverage › Technique

Event Triggered Execution: Accessibility Features T1546.008

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

Events covered

6 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon11FileCreate
Sysmon12RegistryEvent (Object create and delete)
Sysmon13RegistryEvent (Value Set)
Sysmon14RegistryEvent (Key and Value Rename)
Security-Auditing4688A new process has been created.

Authoring guide

Patterns shared across the 9 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (8 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine5match 5sethc.exe, copy , C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe, /y , \osk.exe
Image4ends_with 3, match 1ImagesList, \cmd.exe, \secedit.exe, \rundll32.exe, \pwsh.exe
OriginalFileName2eq 2Cmd.Exe, SeCEdit
EventLog1eq 1Microsoft-Windows-Sysmon/Operational
EventID1eq 11
ParentImage1ends_with 1\winlogon.exe
TargetObject1ends_with 1\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File..., \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File..., \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File...
TargetFilename1eq 1*\\Windows\\System32\\Magnify.exe*, *\\Windows\\System32\\Narrator.exe*, *\\Windows\\System32\\utilman.exe*

Top indicator values (53 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Imageends_with\cmd.exe292
CommandLinematchosk.exe22
CommandLinematchutilman.exe22
CommandLinematchsethc.exe22
ImagematchImagesList1
EventIDeq113
EventLogeqMicrosoft-Windows-Sysmon/Operational1
CommandLinematchC:\windows\system32\cmd.exe C:\windows\system32\sethc.exe1
CommandLinematchcopy 111
CommandLinematch/y 1
CommandLinematch\osk.exe1
CommandLinematch\cmd.exe1
OriginalFileNameeqCmd.Exe132
CommandLinematchmklink12
CommandLinematch/configure1
CommandLinematch/db1
OriginalFileNameeqSeCEdit1
CommandLinematch/cfg1
Imageends_with\secedit.exe1
CommandLinematch/export1

Common exclusions (1 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
OriginalFileNamematchOriginalFileNameList1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 6 rules

Splunk 1 rule

Kusto Query Language 2 rules