StickyKeys_File_Replace_Backdoor

Name: StickyKeys_File_Replace_Backdoor
Checks the hashes of accessibility tools to ensure they don't match the hashes of cmd.exe, powershell.exe, or explorer.exe. More info: (https://github.com/TrullJ/sticky-keys-scanner/blob/master/TestFor-StickyKey.ps1):

Query:
SELECT * FROM hash WHERE (path='c:windowssystem32osk.exe' OR path='c:windowssystem32sethc.exe' OR path='c:windowssystem32narrator.exe' OR path='c:windowssystem32magnify.exe' OR path='c:windowssystem32displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:windowssystem32cmd.exe' OR path='c:windowssystem32WindowsPowerShellv1.0powershell.exe' OR path='c:windowssystem32explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';
Additional Query Info:
Version: 2.2.1
Platform: windows
Interval: 3600

JSON:
{
  "queries": {
    "StickyKeys_File_Replace_Backdoor": {
      "query" : "SELECT * FROM hash WHERE (path='c:windowssystem32osk.exe' OR path='c:windowssystem32sethc.exe' OR path='c:windowssystem32narrator.exe' OR path='c:windowssystem32magnify.exe' OR path='c:windowssystem32displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:windowssystem32cmd.exe' OR path='c:windowssystem32WindowsPowerShellv1.0powershell.exe' OR path='c:windowssystem32explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';",
      "interval" : "3600",
      "platform" : "windows",
      "version": "2.2.1",
      "description" : "Checks the hashes of accessibility tools to ensure they don't match the hashes of cmd.exe, powershell.exe, or explorer.exe. More info: (https://github.com/TrullJ/sticky-keys-scanner/blob/master/TestFor-StickyKey.ps1)",
      "value" : ""
    }
  }
}

You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com