Cyb3rWard0g
commented
2 years ago Hello @sahar55 ! We changed the format a little bit and cleaned some of the playbooks from before. I will add this as a new playbook since I believe the last one was removed while migrating from MD -> YAML -> Notebooks. Thank you for sharing this!
So I've been examining this hunt/detection and I have attempted to recreate the conditions for this hunt and while doing so I have encountered a possible incorrect logic presented in this hunt. I may be wrong and if so I'd be happy to learn how to get the desired result.
TL: DR; 1.ParentImage OR ParentProcessName are not the Accessibility program (as suggested in the hunt), but rather the process "winlogon.exe" 2.ParentProcessName is not a field that exists in the event 4688 - "Creator Process Name" is, and only exists since Win10 according to this: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688
What I used:
The scenario is this: I used IFEO to set cmd.exe as a debugger to sethc.exe, then, I used the Sticky-Keys, and other methods to invoke sethc.exe and while reviewing the logs (both Evt and Sysmon) none of them contains the had sethc.exe as a parent of cmd.exe
In addition, if those accessibility features do have a debugger set to them, The analytic proposed shouldn't work since it won't execute the accessibility program.
Am I missing something? If you need additional details I'd be happy to provide, looking forward to your answer, Sahar.