Uncommon Assistive Technology Applications Execution Via AtBroker.EXE

Severity: medium
Author: Mateusz Wydra, oscd.community
Source: upstream

Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1218` System Binary Proxy Execution

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\AtBroker.exe'
OriginalFileName: AtBroker.exe

Stage 2: `all of selection_cli`

CommandLine|contains: start

Stage 3: `not 1 of filter_main_builtin`

or:
CommandLine|contains: Narrator
CommandLine|contains: animations
CommandLine|contains: audiodescription
CommandLine|contains: caretbrowsing
CommandLine|contains: caretwidth
CommandLine|contains: colorfiltering
CommandLine|contains: cursorindicator
CommandLine|contains: cursorscheme
CommandLine|contains: filterkeys
CommandLine|contains: focusborderheight
CommandLine|contains: focusborderwidth
CommandLine|contains: highcontrast
CommandLine|contains: keyboardcues
CommandLine|contains: keyboardpref
CommandLine|contains: livecaptions
CommandLine|contains: magnifierpane
CommandLine|contains: messageduration
CommandLine|contains: minimumhitradius
CommandLine|contains: mousekeys
CommandLine|contains: osk
CommandLine|contains: overlappedcontent
CommandLine|contains: showsounds
CommandLine|contains: soundsentry
CommandLine|contains: speechreco
CommandLine|contains: stickykeys
CommandLine|contains: togglekeys
CommandLine|contains: voiceaccess
CommandLine|contains: windowarranging
CommandLine|contains: windowtracking
CommandLine|contains: windowtrackingtimeout
CommandLine|contains: windowtrackingzorder

Stage 4: `not 1 of filter_optional_java`

CommandLine|contains: Oracle_JavaAccessBridge

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`Narrator` `Oracle_JavaAccessBridge` `animations` `audiodescription` `caretbrowsing` `caretwidth` `colorfiltering` `cursorindicator` `cursorscheme` `filterkeys` `focusborderheight` `focusborderwidth` `highcontrast` `keyboardcues` `keyboardpref` `livecaptions` `magnifierpane` `messageduration` `minimumhitradius` `mousekeys` `osk` `overlappedcontent` `showsounds` `soundsentry` `speechreco` `start` corpus 6 (sigma 6) `stickykeys` `togglekeys` `voiceaccess` `windowarranging` `windowtracking` `windowtrackingtimeout` `windowtrackingzorder`
`Image`	ends_with	`\AtBroker.exe`
`OriginalFileName`	eq	`AtBroker.exe`

Uncommon Assistive Technology Applications Execution Via AtBroker.EXE

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_img

Stage 2: all of selection_cli

Stage 3: not 1 of filter_main_builtin

Stage 4: not 1 of filter_optional_java

Indicators

Stage 1: `all of selection_img`

Stage 2: `all of selection_cli`

Stage 3: `not 1 of filter_main_builtin`

Stage 4: `not 1 of filter_optional_java`