Detectionmediumtest
Atbroker Registry Change
Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Mateusz Wydra, oscd.communityCreated Tue Oct 13Updated Thu Jan 199577edbb-851f-4243-8c91-1d5b50c1a39bwindows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event
Events for Windows Registry modifications including key creation, modification, and deletion.
Detection Logic
Detection Logic3 selectors
detection:
selection:
TargetObject|contains:
- 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
- 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
filter_atbroker:
Image: 'C:\Windows\system32\atbroker.exe'
TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
Details: '(Empty)'
filter_uninstallers:
Image|startswith: 'C:\Windows\Installer\MSI'
TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
condition: selection and not 1 of filter_*False Positives
Creation of non-default, legitimate at usage
MITRE ATT&CK
Rule Metadata
Rule ID
9577edbb-851f-4243-8c91-1d5b50c1a39b
Status
test
Level
medium
Type
Detection
Created
Tue Oct 13
Modified
Thu Jan 19
Author
Path
rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.t1218attack.persistenceattack.t1547