Need help determining the root cause of a Security Incident M365 Defender

BmoreOs 141 Reputation points
2022-07-07T15:12:43.293+00:00

A recent alert went off of a "Sticky Keys binary hijack" attacked on an end user's laptop. The "threat" was blocked and we had the user's laptop swapped.

I have the laptop in question and checked downloads, documents, add/remove programs, logs within the event viewer, and nothing points out as obvious. I do have ASR rules on and none of them are shown to be involved. I asked the end user about the specific dates and times within the attached screenshots and she is not aware of doing anything out of the ordinary or anyone having access to her laptop physically. I ran a full and offline scan with no detections.

I went through many links and searches on the web and I am unable to figure out what happened here. Does anyone have any experience with this or can point me in the right direction? Screenshots are attached for details. I can gladly provide more information, if needed. Thank you

218693-threat.png

218594-threat2.png

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
{count} votes

Accepted answer
  1. Limitless Technology 39,926 Reputation points
    2022-07-13T14:29:44.453+00:00

    Hello BmoreOS

    Considering the source of the infection, it may be not possible to retrieve the root cause of the infection of vector, instead just that the code added to the system in some way, most times even unadverted to the user.

    In the case that you suspect system manipulation from the user, you can verify if the file SETHC.EXE if it matches the size of the CMD.EXE (mechanism of the exploit) and retrieve data such as time of the file modification and in some cases will appear the user. However, this should not set enough proof to blame the user, as some infections may act in the same environment session of the user.

    In case you want to fully proctect the systems, you can use the registry editor and change the Permissions for that registry chain only to the Administrator. The path and key for disabling Sticky Keys is:
    HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys\Flags=”506″ (by default the value is 510)

    ----------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andrew Blumhardt 10,051 Reputation points Microsoft Employee
    2022-07-13T12:13:34.533+00:00

    It sounds something like the article described below. Possibly renaming cmd to utilman could expose cmd from Windows Key + U?

    https://www.technibble.com/bypass-windows-logons-utilman/

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.