From c6ddbc78ce5504d65210d2d65397eea24a3f6201 Mon Sep 17 00:00:00 2001
From: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com>
Date: Mon, 12 Oct 2020 15:55:38 -0700
Subject: [PATCH 1/2] OSCD LOLBAS atbroker suspicious execution of ATs

---
 .../process_creation/win_susp_atbroker.yml    | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_atbroker.yml

diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml
new file mode 100644
index 000000000..9036e28a4
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_atbroker.yml
@@ -0,0 +1,53 @@
+title: Suspicious atbroker execution
+id: f24bcaea-0cd1-11eb-adc1-0242ac120002
+description: Atbroker executing non-deafualt Assistive Technology applications
+references:
+    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
+status: experimental
+author: Mateusz Wydra, oscd.community
+date: 2020/10/12
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        - Image|endswith: 'AtBroker.exe'
+    selection2:
+        - CommandLine|contains: 'start'
+    filter:
+        - CommandLine|contains:
+            - animations
+            - audiodescription
+            - caretbrowsing
+            - caretwidth
+            - colorfiltering
+            - cursorscheme
+            - filterkeys
+            - focusborderheight
+            - focusborderwidth
+            - highcontrast
+            - keyboardcues
+            - keyboardpref
+            - magnifierpane
+            - messageduration
+            - minimumhitradius
+            - mousekeys
+            - Narrator
+            - osk
+            - overlappedcontent
+            - showsounds
+            - soundsentry
+            - stickykeys
+            - togglekeys
+            - windowarranging
+            - windowtracking
+            - windowtrackingtimeout
+            - windowtrackingzorder
+    condition: selection1 and selection2 and not filter
+falsepositives:
+    - Legitimate, non-deafualt Assistive Technology applications execution
+level: high

From 863b880845a188086c4b86da3fd0c5daafec10d7 Mon Sep 17 00:00:00 2001
From: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com>
Date: Mon, 12 Oct 2020 16:04:41 -0700
Subject: [PATCH 2/2] Titile capitalization

---
 rules/windows/process_creation/win_susp_atbroker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml
index 9036e28a4..ca842b913 100644
--- a/rules/windows/process_creation/win_susp_atbroker.yml
+++ b/rules/windows/process_creation/win_susp_atbroker.yml
@@ -1,4 +1,4 @@
-title: Suspicious atbroker execution
+title: Suspicious Atbroker Execution
 id: f24bcaea-0cd1-11eb-adc1-0242ac120002
 description: Atbroker executing non-deafualt Assistive Technology applications
 references: