LoFP / legitimate use of the ui accessibility checker

Techniques

Sample rules

Suspicious LOLBIN AccCheckConsole

• source: sigma
• technicques:

Description

Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL

Detection logic

condition: all of selection*
selection_cli:
  CommandLine|contains|all:
  - ' -window '
  - .dll
selection_img:
- Image|endswith: \AccCheckConsole.exe
- OriginalFileName: AccCheckConsole.exe