Techniques
Sample rules
Potential DLL Injection Via AccCheckConsole
- source: sigma
- technicques:
Description
Detects the execution “AccCheckConsole” a command-line tool for verifying the accessibility implementation of an application’s UI. One of the tests that this checker can run are called “verification routine”, which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom “verification routine”. An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the “AccCheckConsole” utility.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' -hwnd'
- ' -process '
- ' -window '
selection_img:
- Image|endswith: \AccCheckConsole.exe
- OriginalFileName: AccCheckConsole.exe