MITRE Technique T1546.008

Read about this MITRE Technique at -

Event Triggered Execution: Accessibility Features, Sub-technique T1546.008 - Enterprise | MITRE ATT&CK®attack.mitre.org

atomic-red-team/atomics/T1546.008/T1546.008.md at 5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf · redcanaryco/atomic-red-teamGitHub

Red canary's github repo for detection tests based on MITRE's ATT&CK

The following is a Splunk query for logs from Sysmon to detect this technique being used on Windows -

index=sysmon (EventCode=13 TargetObject IN (*osk.exe*, *sethc.exe*, *utilman.exe*, *magnify.exe*, *narrator.exe*, *DisplaySwitch.exe*, *atbroker.exe*)) OR (TargetFilename IN (*osk.exe*, *sethc.exe*) EventCode=11)
| eval TargetFile=coalesce(TargetObject, TargetFilename) 
| mvexpand User
| search NOT User="NOT_TRANSLATED"
| table TargetFile UtcTime Sid ProcessGuid ProcessId User ComputerName