Sysmon Alert Details
Alert ID: SYSMON-ACCESSIBILITY-1015-7842 Alert Time: 2024-02-18 15:30:15 EST Severity: HIGH (88/100) Source: Sysmon (Event ID 1 – Process Creation) Rule: “Sethc.exe (Sticky Keys) Process Creation – Potential Persistence” MITRE ATT&CK: T1015 – Accessibility Features
Alert Details:
Event ID: 1 (Process Creation) Time: 15:25 EST Host: SEC-WS-023 (Security Team Workstation) User: SYSTEM (via Winlogon)
Process Tree:
winlogon.exe (PID: 568 – SYSTEM)
sethc.exe (PID: 7842 – SYSTEM)
Command: C:\Windows\System32\cmd.exe (PID: 7845)
Command: whoami (confirmed SYSTEM)
Command: net user attacker Password123! /add
Command: net localgroup administrators attacker /add
Registry Artifacts (Sysmon Event 13):
Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe
Value: Debugger
Data: C:\Windows\System32\cmd.exe
Modified: 15:20 EST
Modified By: powershell.exe (PID: 4789)
Detection Logic:
sethc.exe (Sticky Keys) normally runs when Shift key pressed 5 times
Registry configured to launch cmd.exe instead (Debugger trick)
Pressing Shift 5 times now launches SYSTEM command prompt
Classic persistence technique for physical access
Additional Context:
User was at desk, accidentally pressed Shift key 5 times
Unexpected command prompt appeared
User reported immediately to security
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed accessibility feature abuse
2. Registry Remediation
Remove Debugger registry key
reg delete
Debugger key removed
3. User Account Check
Check for unauthorized accounts
AD Users and Computers
Attacker account found and disabled
4. Account Remediation
Delete attacker account
net user
Attacker account deleted
5. User Interview
Contact user
Teams, Phone
User reported Shift key press; helped
6. Threat Hunting
Check other hosts for same registry
Splunk, Sysmon
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-094 Summary: T1015 – Sticky Keys Accessibility Feature Abuse for Persistence Status: RESOLVED Resolution: MALICIOUS – Registry Key Removed Priority: P2 – MEDIUM Labels: T1015, accessibility-features, sticky-keys, persistence, sysmon Components: Endpoint-Security, Persistence
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1 (Process Creation).
Alert: “Sethc.exe (Sticky Keys) Process Creation – Potential Persistence”.
Host: SEC-WS-023 (Security Team Workstation).
User: SYSTEM (via winlogon).
Time: 2024-02-18 15:30 EST.
Technique: MITRE ATT&CK T1015 – Accessibility Features.
2. Technical Analysis:
Attack Chain:
14:00 – Attacker gains remote access via compromised credentials
14:15 – Attacker runs PowerShell to modify registry
14:20 – Registry key modified: sethc.exe debugger set to cmd.exe
14:20 – Attacker account “attacker” created
14:20 – Attacker added to local administrators group
14:20-15:25 – Attacker idle (waiting)
15:25 – User accidentally presses Shift key 5 times
15:25 – cmd.exe launches as SYSTEM
15:25 – User sees command prompt, reports immediately
15:30 – Sysmon alerts
Persistence Mechanism:
Accessibility Feature: Sticky Keys (sethc.exe)
Registry Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe
Value: Debugger
Data: C:\Windows\System32\cmd.exe
Effect: Pressing Shift 5 times launches SYSTEM command prompt
Attacker Account:
Username: attacker
Password: (complex, known to attacker)
Privileges: Local administrator
Status: Created 15:20, not used yet
User Discovery:
User pressed Shift keys accidentally while typing
Unexpected SYSTEM command prompt appeared
User reported immediately to security (excellent response)
3. Investigation Findings:
Timeline:
14:20 – Registry modified, account created
15:25 – User triggers accessibility feature
15:25 – User reports incident
15:30 – Sysmon alert
15:32 – SOC investigates
15:35 – Registry key removed
15:36 – Attacker account deleted
Indicators of Compromise (IoCs):
Registry:
– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = “C:\Windows\System32\cmd.exe”
Account:
– attacker (local admin)
Process:
– sethc.exe spawning cmd.exe
4. Containment Actions:
Immediate Actions:
Removed Debugger registry key.
Deleted attacker account.
Scanned host for other persistence (none).
Verified no other registry modifications.
Host Remediation:
Full scan (no other malware).
No reimage needed.
User Remediation:
User commended for reporting.
User educated on physical security.
5. Root Cause Analysis:
Primary Cause: Attacker gained remote access and modified registry for persistence.
Contributing Factors:
Compromised credentials allowed remote access.
No monitoring for accessibility feature abuse.
Classic persistence technique not blocked.
6. Business Impact:
Operational Impact: Security workstation offline for 1 hour.
Security Impact: Attacker had local admin access for 1 hour.
Data Exposure: None (attacker idle, no activity).
7. Remediation & Prevention:
Completed Actions:
Registry key removed.
Attacker account deleted.
Host secured.
Technical Controls Enhanced:
Created alert for any Image File Execution Options modifications.
Blocked remote registry modifications via GPO.
Enforced application whitelisting.
8. Conclusion:
An attacker used remote access to modify the registry, enabling the Sticky Keys accessibility feature to launch a SYSTEM command prompt. The user accidentally triggered the feature and reported immediately. Sysmon detected the anomalous process creation, enabling rapid remediation. No further compromise occurred.
Closure Rationale: Registry key removed; attacker account deleted; controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-18 16:30 EST