Image Debuggers for Accessibility Features¶
The Debugger registry key allows an attacker to launch intercept the execution of files, causing a different process to be executed. This functionality is used by attackers and often targets common programs to establish persistence.
| id: | 279773ee-7c69-4043-870c-9ed731c7989a |
|---|---|
| categories: | detect |
| confidence: | medium |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Persistence, Privilege Escalation, Defense Evasion |
|---|---|
| techniques: | T1015 Accessibility Features, T1183 Image File Execution Options Injection |
Query¶
registry where wildcard(registry_path,
"*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
"*\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger"
)
and wildcard(registry_path,
// Accessibility Features
"*\\sethc.exe\\*",
"*\\utilman.exe\\*",
"*\\narrator.exe\\*",
"*\\osk.exe\\*",
"*\\magnify.exe\\*",
"*\\displayswitch.exe\\*",
"*\\atbroker.exe\\*",
)