Detection rules › Kusto Query Language
Modification of Accessibility Features
'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1] Ref: https://attack.mitre.org/techniques/T1546/008/'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1546.008 Event Triggered Execution: Accessibility Features |
| Privilege Escalation | T1546.008 Event Triggered Execution: Accessibility Features |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: source
Event
Stage 2: where
and
EventID eq "1"
EventLog eq "Microsoft-Windows-Sysmon/Operational"
Stage 3: parse
Stage 4: where
and
not
OriginalFileName match "OriginalFileNameList"
Image match "ImagesList"
Stage 5: parse
Stage 6: summarize
Stage 7: extend
Stage 8: extend
Stage 9: extend
Stage 10: extend
Stage 11: extend
Stage 12: project-away
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | OriginalFileName | match | OriginalFileNameList |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|
EventLog | eq |
|
Image | match |
|