From 1df582d8db26e788435cd9e8ee9c0bd973087fd4 Mon Sep 17 00:00:00 2001
From: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com>
Date: Mon, 12 Oct 2020 17:10:34 -0700
Subject: [PATCH] OSCD LOLBAS atbroker suspicious creation of ATs

---
 .../sysmon_susp_atbroker_change.yml           | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/windows/registry_event/sysmon_susp_atbroker_change.yml

diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
new file mode 100644
index 000000000..8ad56900a
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
@@ -0,0 +1,25 @@
+title: Atbroker Registry Change
+id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
+description: Detects creation/modification of Assisitive Technology applications and persistance with usage of ATs
+author: Mateusz Wydra, oscd.community
+references:
+    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml
+date: 2020/10/13
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.persistance
+    - attack.t1547
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    creation:       
+        TargetObject|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
+    persistance:
+        TargetObject|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
+    condition: creation or persistance
+falsepositives:
+    - Creation of non-default, legitimate AT. 
+level: High
\ No newline at end of file