Defenders can observe suspicious replacement or tampering of system accessibility binaries (e.g., utilman.exe, sethc.exe, osk.exe) and anomalous modifications to registry keys used to redirect accessibility programs (such as IFEO keys). Additionally, execution of cmd.exe or other suspicious binaries triggered from the login screen by SYSTEM can be correlated as part of a behavior chain.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Field | Description |
|---|---|
| TimeWindow | Time between registry modification and suspicious binary execution (e.g., < 1 hour) can be tuned. |
| TargetBinaryNames | Specific binaries monitored (e.g., utilman.exe, sethc.exe) can be adjusted per OS version and risk tolerance. |
| ParentProcess | Parent process of cmd.exe (e.g., winlogon.exe) may vary across legitimate and adversarial cases. |
| UserContext | Context of SYSTEM account execution vs. administrative sessions may influence tuning. |
| CommandLineContains | Tunable patterns such as launching cmd.exe, powershell, or LOLBins from accessibility binaries. |