From 49c12f1df8c04464d1ca1000ad557df51b6f35c7 Mon Sep 17 00:00:00 2001
From: Karneades <karneades@protonmail.com>
Date: Fri, 16 Mar 2018 10:52:43 +0100
Subject: [PATCH] Add missing binaries

---
 rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml b/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml
index 4dab871d8..6fc40cf99 100644
--- a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml
+++ b/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml
@@ -16,12 +16,18 @@ detection:
             - '*\cmd.exe sethc.exe *'
             - '*\cmd.exe utilman.exe *'
             - '*\cmd.exe osk.exe *'
+            - '*\cmd.exe Magnify.exe *'
+            - '*\cmd.exe Narrator.exe *'
+            - '*\cmd.exe DisplaySwitch.exe *'
     selection_registry:
         EventID: 13
         TargetObject: 
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
         EventType: 'SetValue'
     condition: 1 of them
 falsepositives: