Checks the hashes of accessibility tools to ensure they don't match the hashes of cmd.exe, powershell.exe, or explorer.exe. More info: (https://github.com/TrullJ/sticky-keys-scanner/blob/master/TestFor-StickyKey.ps1):
Query:
SELECT * FROM hash WHERE (path='c:windowssystem32osk.exe' OR path='c:windowssystem32sethc.exe' OR path='c:windowssystem32narrator.exe' OR path='c:windowssystem32magnify.exe' OR path='c:windowssystem32displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:windowssystem32cmd.exe' OR path='c:windowssystem32WindowsPowerShellv1.0powershell.exe' OR path='c:windowssystem32explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';Additional Query Info:
Version: 2.2.1
Platform: windows
Interval: 3600
JSON:
{ "queries": { "StickyKeys_File_Replace_Backdoor": { "query" : "SELECT * FROM hash WHERE (path='c:windowssystem32osk.exe' OR path='c:windowssystem32sethc.exe' OR path='c:windowssystem32narrator.exe' OR path='c:windowssystem32magnify.exe' OR path='c:windowssystem32displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:windowssystem32cmd.exe' OR path='c:windowssystem32WindowsPowerShellv1.0powershell.exe' OR path='c:windowssystem32explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';", "interval" : "3600", "platform" : "windows", "version": "2.2.1", "description" : "Checks the hashes of accessibility tools to ensure they don't match the hashes of cmd.exe, powershell.exe, or explorer.exe. More info: (https://github.com/TrullJ/sticky-keys-scanner/blob/master/TestFor-StickyKey.ps1)", "value" : "" } } }