title: Suspicious Debugger Registration Cmdline
author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/09/06
description: Detects the registration of a debugger for a program that is available
    in the logon screen (sticky key backdoor).
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        CommandLine: '*\CurrentVersion\Image File Execution Options\\*'
    SELECTION_3:
        CommandLine: '*sethc.exe*'
    SELECTION_4:
        CommandLine: '*utilman.exe*'
    SELECTION_5:
        CommandLine: '*osk.exe*'
    SELECTION_6:
        CommandLine: '*magnify.exe*'
    SELECTION_7:
        CommandLine: '*narrator.exe*'
    SELECTION_8:
        CommandLine: '*displayswitch.exe*'
    SELECTION_9:
        CommandLine: '*atbroker.exe*'
    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
falsepositives:
- Penetration Tests
id: ae215552-081e-44c7-805f-be16f975c8a2
level: high
logsource:
    category: process_creation
    product: windows
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.008
- attack.t1015
yml_filename: win_install_reg_debugger_backdoor.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation