Skip to main content
Splunk Lantern

Windows accessibility binary modifications

Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. 

You suspect that an adversary has modified or replaced accessibility programs so they can get a command prompt or backdoor without logging in to the system. You need to search for any such modifications. 

Data required 

Endpoint data

Procedure

  1. To complete this process, your deployment needs to ingest endpoint data that tracks file system activity from your hosts. You should also ensure you are ingesting normalized endpoint data, populating the Filesystem node of the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  2. If you are using Sysmon, ensure you have a Splunk Universal Forwarder on each endpoint from which you want to collect data.
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
|tstats summariesonly=true allow_old_summaries=true count min(_time) AS firstTime max(_time) AS lastTime values(Filesystem.user) AS user values(Filesystem.dest) AS dest values(Filesystem.file_path) AS file_path FROM datamodel=Endpoint.Filesystem WHERE (Filesystem.file_path=*\\Windows\\System32\\sethc.exe* OR Filesystem.file_path=*\\Windows\\System32\\utilman.exe* OR Filesystem.file_path=*\\Windows\\System32\\osk.exe* OR Filesystem.file_path=*\\Windows\\System32\\Magnify.exe* OR Filesystem.file_path=*\\Windows\\System32\\Narrator.exe* OR Filesystem.file_path=*\\Windows\\System32\\DisplaySwitch.exe* OR Filesystem.file_path=*\\Windows\\System32\\AtBroker.exe*) BY Filesystem.file_name Filesystem.dest 
|rename "Filesystem.*" as "*" 
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|tstats summariesonly=true allow_old_summaries=true count min(_time) AS firstTime max(_time) AS lastTime values(Filesystem.user) AS user values(Filesystem.dest) AS dest values(Filesystem.file_path) AS file_path FROM datamodel=Endpoint.Filesystem WHERE (Filesystem.file_path=*\\Windows\\System32\\sethc.exe* OR Filesystem.file_path=*\\Windows\\System32\\utilman.exe* OR Filesystem.file_path=*\\Windows\\System32\\osk.exe* OR Filesystem.file_path=*\\Windows\\System32\\Magnify.exe* OR Filesystem.file_path=*\\Windows\\System32\\Narrator.exe* OR Filesystem.file_path=*\\Windows\\System32\\DisplaySwitch.exe* OR Filesystem.file_path=*\\Windows\\System32\\AtBroker.exe*) BY Filesystem.file_name Filesystem.dest Query the Endpoint.Filesystem data model object for any common accessible files that are usually modified by attackers. We print the file's last modification time by the different host and user it was modified by. 
|rename "Filesystem.*" as "*" Rename the data model object for better readability.
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime) 
Convert these times into readable strings.

Next steps

Review if any unusual user has modified a windows accessibility binary. Note that Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle. If a binary has been modified, you might want to collect the hash and analyze it through common malware analysis tools like VirusTotal or Reversing Labs. If you have Splunk SOAR, this action can be automated via a playbook. The Malware Hunt and Contain playbook provides an example of how to do so.

For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.

You might also be interested in other processes associated with the Monitoring for signs of Windows privilege escalation attacks use case.