Image Debuggers for Accessibility Features¶
The Debugger registry key allows an attacker to launch intercept the execution of files, causing a different process to be executed. This functionality is used by attackers and often targets common programs to establish persistence.
id: | 279773ee-7c69-4043-870c-9ed731c7989a |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence, Privilege Escalation, Defense Evasion |
---|---|
techniques: | T1015 Accessibility Features, T1183 Image File Execution Options Injection |
Query¶
registry where wildcard(registry_path,
"*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
"*\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger"
)
and wildcard(registry_path,
// Accessibility Features
"*\\sethc.exe\\*",
"*\\utilman.exe\\*",
"*\\narrator.exe\\*",
"*\\osk.exe\\*",
"*\\magnify.exe\\*",
"*\\displayswitch.exe\\*",
"*\\atbroker.exe\\*",
)