AtBroker.exe

  • File Path: C:\WINDOWS\system32\AtBroker.exe
  • Description: Windows Assistive Technology Manager

Hashes

Type Hash
MD5 408416D531C62E3BC668D750EBD0B634
SHA1 049F72892273515B31351F9B26B67834A3BA98CF
SHA256 A4924C3A207B8F1C55318B0012D0E99D06CDEEF8709296CE25881CC46B31AEC1
SHA384 440F96B6E7C1F5986D38B205A03448FB5304A0AABD9833366A96026F9C0518ADA2995F0CA2ECF81788FF99B34E14961A
SHA512 2F3E6D45ED4FF5341AEC6438E4EDD26A420DEFC70B1FE6CAE7C34AEFB48F79797122ADFBD3F67409C689F684587241322BA7995BBA879EBA73C973582686B748
SSDEEP 1536:rpkzOBUffrwSPz9zBXm7yXb63dqk058fFqusogJBtV:FkzOBWF7VBXmgP589qus3BtV

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ATBroker.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.449 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.449
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of AtBroker.exe being misused. While AtBroker.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'atbroker.exe' DRL 1.0
sigma proc_creation_win_susp_atbroker.yml title: Suspicious Atbroker Execution DRL 1.0
sigma proc_creation_win_susp_atbroker.yml description: Atbroker executing non-deafualt Assistive Technology applications DRL 1.0
sigma proc_creation_win_susp_atbroker.yml - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ DRL 1.0
sigma proc_creation_win_susp_atbroker.yml Image\|endswith: 'AtBroker.exe' DRL 1.0
sigma registry_event_susp_atbroker_change.yml title: Atbroker Registry Change DRL 1.0
sigma registry_event_susp_atbroker_change.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml DRL 1.0
LOLBAS Atbroker.yml Name: Atbroker.exe  
LOLBAS Atbroker.yml - Command: ATBroker.exe /start malware  
LOLBAS Atbroker.yml - Path: C:\Windows\System32\Atbroker.exe  
LOLBAS Atbroker.yml - Path: C:\Windows\SysWOW64\Atbroker.exe  
LOLBAS Atbroker.yml - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware  
atomic-red-team T1546.008.md * App Switcher: C:\Windows\System32\AtBroker.exe</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.