T1015 - Accessibility Features - Possible Fix to Current Hunt

[sahar55]

So I've been examining this hunt/detection and I have attempted to recreate the conditions for this hunt and while doing so I have encountered a possible incorrect logic presented in this hunt.
I may be wrong and if so I'd be happy to learn how to get the desired result.

TL: DR;
1.ParentImage OR ParentProcessName are not the Accessibility program (as suggested in the hunt), but rather the process "winlogon.exe"
2.ParentProcessName is not a field that exists in the event 4688 - "Creator Process Name" is, and only exists since Win10 according to this:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688

What I used:

• Windows Server 2012 R2
• Advanced Event log auditing policy (where every category and subcategory are configured to be logged)
• Sysmon-modular configs - https://github.com/olafhartong/sysmon-modular

The scenario is this:
I used IFEO to set cmd.exe as a debugger to sethc.exe, then, I used the Sticky-Keys, and other methods to invoke sethc.exe and while reviewing the logs (both Evt and Sysmon) none of them contains the had sethc.exe as a parent of cmd.exe

In addition, if those accessibility features do have a debugger set to them, The analytic proposed shouldn't work since it won't execute the accessibility program.

Am I missing something?
If you need additional details I'd be happy to provide,
looking forward to your answer,
Sahar.

[Cyb3rWard0g]

Hello @sahar55 ! We changed the format a little bit and cleaned some of the playbooks from before. I will add this as a new playbook since I believe the last one was removed while migrating from MD -> YAML -> Notebooks. Thank you for sharing this!