creation of non-default, legitimate at usage

t1218
t1547
windows
sigma

Techniques

t1218
t1547

Sample rules

Atbroker Registry Change

source: sigma
technicques:
- t1218
- t1547

Description

Detects creation/modification of Assistive Technology applications and persistence with usage of ‘at’

Detection logic

condition: selection and not 1 of filter_*
filter_atbroker:
  Details: (Empty)
  Image: C:\Windows\system32\atbroker.exe
  TargetObject|contains: \Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
filter_uninstallers:
  Image|startswith: C:\Windows\Installer\MSI
  TargetObject|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
selection:
  TargetObject|contains:
  - Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
  - Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration