Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential DLL Injection Via AccCheckConsole

Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Thu Jan 06Updated Thu Aug 290f6da907-5854-4be6-859a-e9958747b0aawindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\AccCheckConsole.exe'
        - OriginalFileName: 'AccCheckConsole.exe'
    selection_cli:
        CommandLine|contains:
            - ' -hwnd'
            - ' -process '
            - ' -window '
    condition: all of selection_*
False Positives

Legitimate use of the UI Accessibility Checker

References
1
Resolving title…
gist.github.com
2
Resolving title…
twitter.com
3
Resolving title…
lolbas-project.github.io
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
0f6da907-5854-4be6-859a-e9958747b0aa
Status
test
Level
medium
Type
Detection
Created
Thu Jan 06
Modified
Thu Aug 29
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml
Raw Tags
attack.executiondetection.threat-hunting
View on GitHub