Try in Splunk Security Cloud

Description

Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-07-21
  • Author: David Dorsey, Splunk
  • ID: 13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae

ATT&CK

ID Technique Tactic
T1546.008 Accessibility Features Privilege Escalation, Persistence

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\Windows\\System32\\sethc.exe* OR Filesystem.file_path=*\\Windows\\System32\\utilman.exe* OR Filesystem.file_path=*\\Windows\\System32\\osk.exe* OR Filesystem.file_path=*\\Windows\\System32\\Magnify.exe* OR Filesystem.file_path=*\\Windows\\System32\\Narrator.exe* OR Filesystem.file_path=*\\Windows\\System32\\DisplaySwitch.exe* OR Filesystem.file_path=*\\Windows\\System32\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `overwriting_accessibility_binaries_filter`

Associated Analytic Story

How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

  • _time
  • Filesystem.dest
  • Filesystem.file_path
  • Filesystem.file_name
  • Filesystem.dest

Kill Chain Phase

  • Actions on Objectives

Known False Positives

Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.

RBA

Risk Score Impact Confidence Message
72.0 80 90 A suspicious file modification or replace in $file_path$ in host $dest$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 4