
Summary
The detection rule titled 'ATBroker.exe Execution' targets the execution of 'ATBroker.exe', a helper binary associated with Assistive Technology (AT) in Windows environments. This binary is part of the Living Off the Land Binaries and Scripts (LOLBAS) category, which refers to common binaries that can be abused by attackers to execute malicious code while evading detection. The rule is designed to monitor executions of this process as it can be invoked to execute further commands defined in the Windows registry, particularly those associated with AT services. By capturing events where 'ATBroker.exe' is initiated, especially with the command line parameters indicating a 'start' action, the rule aims to identify potential defense-evasion tactics employed by threat actors. The Splunk logic for this rule utilizes endpoint data and EDR logs to capture relevant process execution events, including their parent-child relationships and user context. The identification of such executions can be critical in detecting malicious activities leveraging legitimate system processes for illicit purposes. The detection aligns with the MITRE ATT&CK technique T1218 - 'System Binary Proxy Execution'.
Categories
- Windows
- Endpoint
Data Sources
- Process
- File
- Logon Session
ATT&CK Techniques
- T1218
Created: 2024-02-09