security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml
T
Nasreddine Bencherchali 4cd51a3dd5 Merge PR #4937 from @nasbench - Multiple updates and fixes 
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Exclude additional edge cases
fix: Relevant Anti-Virus Signature Keywords In Application Log - Exclude common keywords found in legitimate programs
fix: Suspicious Child Process Of Wermgr.EXE - Add new exclusions
fix: Uncommon Sigverif.EXE Child Process - Exclude werfault.exe
fix: Wusa.EXE Executed By Parent Process Located In Suspicious Location - Exclude ".msu" files
fix: Xwizard.EXE Execution From Non-Default Location - Exclude "WinSxS"
update: Cab File Extraction Via Wusa.EXE - Move to TH folder
update: COM Object Execution via Xwizard.EXE - Update logic
update: Potential DLL Injection Via AccCheckConsole - Enhance coverage and logic
update: Potential DLL Sideloading Activity Via ExtExport.EXE - Metadata and logic update
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Increase coverage
update: Process Memory Dump via RdrLeakDiag.EXE - Enhance coverage
2024-08-29 14:43:32 +02:00

34 lines
1.4 KiB
YAML
Raw Blame History

title: Potential DLL Injection Via AccCheckConsole
id: 0f6da907-5854-4be6-859a-e9958747b0aa
status: test
description: |
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI.
One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc.
The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
references:
- https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
- https://twitter.com/bohops/status/1477717351017680899?s=12
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
author: Florian Roth (Nextron Systems)
date: 2022-01-06
modified: 2024-08-29
tags:
- attack.execution
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\AccCheckConsole.exe'
- OriginalFileName: 'AccCheckConsole.exe'
selection_cli:
CommandLine|contains:
- ' -hwnd'
- ' -process '
- ' -window '
condition: all of selection_*
falsepositives:
- Legitimate use of the UI Accessibility Checker
level: medium
Reference in New Issue View Git Blame Copy Permalink