Detection rules › Splunk
Command Line Utility Added to Accessibility Features (Windows Event Log)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. This use case detects registry modification commands or events adding cmd.exe or PowerShell/pwsh.exe to Accessibility Features registry keys.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
| Persistence | T1546.008 Event Triggered Execution: Accessibility Features |
| Privilege Escalation | T1546.008 Event Triggered Execution: Accessibility Features |
References
- https://attack.mitre.org/techniques/T1546/008/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md#atomic-test-1---attaches-command-prompt-as-a-debugger-to-a-list-of-target-processes
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-8base
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4657 | A registry value was modified. |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '31349.56233'
title: Command Line Utility Added to Accessibility Features
description: 'Adversaries may establish persistence and/or elevate privileges by executing
malicious content triggered by accessibility features. Windows contains accessibility
features that may be launched with a key combination before a user has logged in
(ex: when the user is on the Windows logon screen). An adversary can modify the
way these programs are launched to get a command prompt or backdoor without logging
in to the system. This use case detects registry modification commands or events
adding cmd.exe or PowerShell/pwsh.exe to Accessibility Features registry keys.'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` ((TERM(EventCode=4657) OR
"<EventID>4657<") OR (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process))
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution" "Debugger"
("sethc.exe" OR "utilman.exe" OR "osk.exe" OR "Magnify.exe" OR "Narrator.exe" OR
"DisplaySwitch.exe" OR "atbroker.exe" OR "HelpPane.exe") ("cmd.exe" OR "powershell.exe"
OR "pwsh.exe") | where (match(signature_id, "4657") and match(ObjectValueName, "(?i)Debugger")
and match(NewValue, "(?i)(cmd|pwsh|powershell)\.exe")) or (match(signature_id, "4688")
and match(process, "(?i)Debugger.+\x5c(cmd|pwsh|powershell)\.exe"))| table _time,
host, user, process, parent_process_name, signature_id, ObjectValueName, NewValue
| bin span=1s | stats values(*) as * by _time, host '
techniques:
- execution:command and scripting interpreter
- persistence:event triggered execution:accessibility features
technique_id:
- T1059
- T1546.008
data_category:
- Process command-line parameters
- Windows event logs
- Windows Registry
references:
- https://attack.mitre.org/techniques/T1546/008/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md#atomic-test-1---attaches-command-prompt-as-a-debugger-to-a-list-of-target-processes
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-8base
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` ((TERM(EventCode=4657) OR "<EventID>4657<") OR (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process)) "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution" "Debugger" ("sethc.exe" OR "utilman.exe" OR "osk.exe" OR "Magnify.exe" OR "Narrator.exe" OR "DisplaySwitch.exe" OR "atbroker.exe" OR "HelpPane.exe") ("cmd.exe" OR "powershell.exe" OR "pwsh.exe")
Stage 2: where
| where (match(signature_id, "4657") and match(ObjectValueName, "(?i)Debugger") and match(NewValue, "(?i)(cmd|pwsh|powershell)\.exe")) or (match(signature_id, "4688") and match(process, "(?i)Debugger.+\x5c(cmd|pwsh|powershell)\.exe"))
Stage 3: table
| table _time, host, user, process, parent_process_name, signature_id, ObjectValueName, NewValue
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
NewValue | match |
|
ObjectValueName | match |
|
process | match |
|
signature_id | match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4657<" |
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution" |
| 1 | "Debugger" |
| 1 | "sethc.exe" |
| 1 | "utilman.exe" |
| 1 | "osk.exe" |
| 1 | "Magnify.exe" |
| 1 | "Narrator.exe" |
| 1 | "DisplaySwitch.exe" |
| 1 | "atbroker.exe" |
| 1 | "HelpPane.exe" |
| 1 | "cmd.exe" |
| 1 | "powershell.exe" |
| 1 | "pwsh.exe" |