title: Suspicious Atbroker Execution
author: Mateusz Wydra, oscd.community
date: 2020/10/12
description: Atbroker executing non-deafualt Assistive Technology applications
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*AtBroker.exe'
  SELECTION_3:
    CommandLine: '*start*'
  SELECTION_4:
    CommandLine:
    - '*animations*'
    - '*audiodescription*'
    - '*caretbrowsing*'
    - '*caretwidth*'
    - '*colorfiltering*'
    - '*cursorscheme*'
    - '*filterkeys*'
    - '*focusborderheight*'
    - '*focusborderwidth*'
    - '*highcontrast*'
    - '*keyboardcues*'
    - '*keyboardpref*'
    - '*magnifierpane*'
    - '*messageduration*'
    - '*minimumhitradius*'
    - '*mousekeys*'
    - '*Narrator*'
    - '*osk*'
    - '*overlappedcontent*'
    - '*showsounds*'
    - '*soundsentry*'
    - '*stickykeys*'
    - '*togglekeys*'
    - '*windowarranging*'
    - '*windowtracking*'
    - '*windowtrackingtimeout*'
    - '*windowtrackingzorder*'
  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
falsepositives:
- Legitimate, non-default assistive technology applications execution
id: f24bcaea-0cd1-11eb-adc1-0242ac120002
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/08/14
references:
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
ruletype: SIGMA