AtBroker.exe
- File Path:
C:\Windows\system32\AtBroker.exe - Description: Windows Assistive Technology Manager
Hashes
| Type | Hash |
|---|---|
| MD5 | 0E175C40A722407F804F30BFB45CEDA8 |
| SHA1 | 5B9938BC8FB5158043063C55EB795884BE6F621C |
| SHA256 | 6837E1C70823796EB24D9E5E0209BEA5C857A34F70B936D6D1CF5791C4F74961 |
| SHA384 | 6287D56143A13D0E41923A4055FBA5BA7CF62232813951FCB4CCC9076CDB3EC695E6CCB04B4AE5A23E910BC15B50686F |
| SHA512 | 742D088A8559D0C6DD13B5B5C21453BF736E5F0EDA2071F279401595F360195677D7053106969CC41852096B357B0A88986603B00A01977124641C5A38A1E0A5 |
| SSDEEP | 1536:U58+Dquaetf7kqOMFsi8ZkHbto3W94e3er7JENPUjdJa/YGO:UyIF/f3X+BZCtCZr7JEaj/OYGO |
| IMP | 587B1C3FD47818346FB8557408E17403 |
| PESHA1 | EA32733357843029F570463FBEAF7E380247D907 |
| PE256 | FD427027C62AE45B2314D59CC47812C1437499356152A1FB49F3B1DF66DD4CD8 |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: ATBroker.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/69
- VirusTotal Link: https://www.virustotal.com/gui/file/6837e1c70823796eb24d9e5e0209bea5c857a34f70b936d6d1cf5791c4f74961/detection/
Possible Misuse
The following table contains possible examples of AtBroker.exe being misused. While AtBroker.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_install_reg_debugger_backdoor.yml | - 'atbroker.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_atbroker.yml | title: Suspicious Atbroker Execution |
DRL 1.0 |
| sigma | proc_creation_win_susp_atbroker.yml | description: Atbroker executing non-deafualt Assistive Technology applications |
DRL 1.0 |
| sigma | proc_creation_win_susp_atbroker.yml | - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ |
DRL 1.0 |
| sigma | proc_creation_win_susp_atbroker.yml | Image\|endswith: 'AtBroker.exe' |
DRL 1.0 |
| sigma | registry_event_susp_atbroker_change.yml | title: Atbroker Registry Change |
DRL 1.0 |
| sigma | registry_event_susp_atbroker_change.yml | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml |
DRL 1.0 |
| LOLBAS | Atbroker.yml | Name: Atbroker.exe |
|
| LOLBAS | Atbroker.yml | - Command: ATBroker.exe /start malware |
|
| LOLBAS | Atbroker.yml | - Path: C:\Windows\System32\Atbroker.exe |
|
| LOLBAS | Atbroker.yml | - Path: C:\Windows\SysWOW64\Atbroker.exe |
|
| LOLBAS | Atbroker.yml | - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware |
|
| atomic-red-team | T1546.008.md | * App Switcher: C:\Windows\System32\AtBroker.exe</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.