Image Debuggers for Accessibility Features

The Debugger registry key allows an attacker to launch intercept the execution of files, causing an a different process to be executed. This functionality is used by attackers and often targets common programs to establish persistence.

id:279773ee-7c69-4043-870c-9ed731c7989a
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Persistence, Privilege Escalation, Defense Evasion
techniques:T1015 Accessibility Features, T1183 Image File Execution Options Injection

Query

registry where wildcard(key_path,
  "*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
  "*\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger"
  )

  and wildcard(key_path,
    // Accessibility Features
    "*\\sethc.exe\\*",
    "*\\utilman.exe\\*",
    "*\\narrator.exe\\*",
    "*\\osk.exe\\*",
    "*\\magnify.exe\\*",
    "*\\displayswitch.exe\\*",
    "*\\atbroker.exe\\*",
  )

Contributors