Try in Splunk Security Cloud

Description

The following analytic detects modifications to Windows accessibility binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify changes to these specific files. This activity is significant because adversaries can exploit these binaries to gain unauthorized access or execute commands without logging in. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized system access and further compromise of the environment.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2024-05-25
  • Author: David Dorsey, Splunk
  • ID: 13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1546 Event Triggered Execution Privilege Escalation, Persistence
T1546.008 Accessibility Features Privilege Escalation, Persistence
Kill Chain Phase
  • Exploitation
  • Installation
NIST
  • DE.CM
CIS20
  • CIS 10
CVE 


1
2
3
4
5
6



| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\Windows\\System32\\sethc.exe* OR Filesystem.file_path=*\\Windows\\System32\\utilman.exe* OR Filesystem.file_path=*\\Windows\\System32\\osk.exe* OR Filesystem.file_path=*\\Windows\\System32\\Magnify.exe* OR Filesystem.file_path=*\\Windows\\System32\\Narrator.exe* OR Filesystem.file_path=*\\Windows\\System32\\DisplaySwitch.exe* OR Filesystem.file_path=*\\Windows\\System32\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `overwriting_accessibility_binaries_filter`

Macros

The SPL above uses the following Macros:

:information_source: overwriting_accessibility_binaries_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • Filesystem.dest
  • Filesystem.file_path
  • Filesystem.file_name
  • Filesystem.dest

How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Known False Positives

Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
72.0 80 90 A suspicious file modification or replace in $file_path$ in host $dest$

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 5