CAR-2014-11-003: Debuggers for Accessibility Applications
The Windows Registry location HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the “Debugger” option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings “sethc.exe”, “utilman.exe”, “osk.exe”, “narrator.exe”, and “Magnify.exe” are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.
This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string “sethc.exe” being used as an argument for another application is unlikely, it still is a possibility.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Event Triggered Execution | Accessibility Features | Privilege Escalation, Persistence | Moderate |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PLA | Process Lineage Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | command_line |
| process | create | exe |
Implementations
Pseudocode
One simple way to implement this technique is to note that in a default Windows configuration there are no spaces in the path to the system32 folder. If the accessibility programs are ever run with a Debugger set, then Windows will launch the Debugger process and append the command line to the accessibility program. As a result, a space is inserted in the command line before the path. Looking for any instances of a space in the command line before the name of an accessibility program will help identify when Debuggers are set.
process = search Process:Create
debuggers = filter process where (command_line match "$.* .*(sethcutilmanosknarratormagnify)\.exe")
output debuggers
Logpoint, LogPoint native
LogPoint version of the above pseudocode.
norm_id=WindowsSysmon event_id=1 command IN ["$* *sethc.exe", "$* *utilman.exe", "$* *osk.exe", "$* *narrator.exe", "$* *magnify.exe"]
Unit Tests
Test Case 1
Configurations: Windows 7
Although it does not actually utilize the Debugging command line, an easy way to test this analytic to run cmd.exe from a command window, supplying one of the strings as arguments.
cmd.exe Magnify.exe