AtBroker.exe

  • File Path: C:\windows\SysWOW64\AtBroker.exe
  • Description: Windows Assistive Technology Manager

Hashes

Type Hash
MD5 B90FBBE506E1AAAF7B67C5DA6445E7E1
SHA1 7CF3DF21A76AC2F7D1BEA7245461447DE7971D49
SHA256 94755D0C49EC3238BA3C74054EFE54D4843CAEB913A58EFC1B696063FE107116
SHA384 A2B09C0DA09D1293FBCA4AA1C5BC5D789A880A8CCB5F26E73E2C6B23867EE768069E4DA413FEF97656520C4C1B2A72DD
SHA512 4557D2029221D2EA4C9431187A962C716C6D8169EE7A362CA041FE8AD71FA8D45E106FB3C997D6BC4097BCFF208DFF6638C8820E9A3469CAA3EF53C9801727D6
SSDEEP 768:ibR5YJ/+AZABBES89/MhlHAVVz/Jrh8oIUW4H+ug:l+AZABBE2kVVDJFJpHvg

Signature

  • Status: The file C:\windows\SysWOW64\AtBroker.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: ATBroker.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of AtBroker.exe being misused. While AtBroker.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'atbroker.exe' DRL 1.0
sigma proc_creation_win_susp_atbroker.yml title: Suspicious Atbroker Execution DRL 1.0
sigma proc_creation_win_susp_atbroker.yml description: Atbroker executing non-deafualt Assistive Technology applications DRL 1.0
sigma proc_creation_win_susp_atbroker.yml - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ DRL 1.0
sigma proc_creation_win_susp_atbroker.yml Image\|endswith: 'AtBroker.exe' DRL 1.0
sigma registry_event_susp_atbroker_change.yml title: Atbroker Registry Change DRL 1.0
sigma registry_event_susp_atbroker_change.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml DRL 1.0
LOLBAS Atbroker.yml Name: Atbroker.exe  
LOLBAS Atbroker.yml - Command: ATBroker.exe /start malware  
LOLBAS Atbroker.yml - Path: C:\Windows\System32\Atbroker.exe  
LOLBAS Atbroker.yml - Path: C:\Windows\SysWOW64\Atbroker.exe  
LOLBAS Atbroker.yml - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware  
atomic-red-team T1546.008.md * App Switcher: C:\Windows\System32\AtBroker.exe</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.