Techniques
Sample rules
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
- source: sigma
- technicques:
- t1218
Description
Detects the start of a non built-in assistive technology applications via “Atbroker.EXE”.
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_builtin:
CommandLine|contains:
- animations
- audiodescription
- caretbrowsing
- caretwidth
- colorfiltering
- cursorindicator
- cursorscheme
- filterkeys
- focusborderheight
- focusborderwidth
- highcontrast
- keyboardcues
- keyboardpref
- livecaptions
- magnifierpane
- messageduration
- minimumhitradius
- mousekeys
- Narrator
- osk
- overlappedcontent
- showsounds
- soundsentry
- speechreco
- stickykeys
- togglekeys
- voiceaccess
- windowarranging
- windowtracking
- windowtrackingtimeout
- windowtrackingzorder
filter_optional_java:
CommandLine|contains: Oracle_JavaAccessBridge
selection_cli:
CommandLine|contains: start
selection_img:
- Image|endswith: \AtBroker.exe
- OriginalFileName: AtBroker.exe