Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/):
Query:
SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options%%' and name='Debugger';Additional Query Info:
Version: 2.2.1
Platform: windows
Interval: 3600
JSON:
{ "queries": { "StickyKeys_Registry_Backdoor": { "query" : "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options%%' and name='Debugger';", "interval" : "3600", "platform" : "windows", "version": "2.2.1", "description" : "Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)", "value" : "" } } }