Share via

Need help determining the root cause of a Security Incident M365 Defender

BmoreOs 141 Reputation points
Jul 7, 2022, 3:12 PM

A recent alert went off of a "Sticky Keys binary hijack" attacked on an end user's laptop. The "threat" was blocked and we had the user's laptop swapped.

I have the laptop in question and checked downloads, documents, add/remove programs, logs within the event viewer, and nothing points out as obvious. I do have ASR rules on and none of them are shown to be involved. I asked the end user about the specific dates and times within the attached screenshots and she is not aware of doing anything out of the ordinary or anyone having access to her laptop physically. I ran a full and offline scan with no detections.

I went through many links and searches on the web and I am unable to figure out what happened here. Does anyone have any experience with this or can point me in the right direction? Screenshots are attached for details. I can gladly provide more information, if needed. Thank you

218693-threat.png

218594-threat2.png

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
3,008 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,498 questions
{count} votes

Accepted answer
  1. Limitless Technology 39,831 Reputation points
    Jul 13, 2022, 2:29 PM

    Hello BmoreOS

    Considering the source of the infection, it may be not possible to retrieve the root cause of the infection of vector, instead just that the code added to the system in some way, most times even unadverted to the user.

    In the case that you suspect system manipulation from the user, you can verify if the file SETHC.EXE if it matches the size of the CMD.EXE (mechanism of the exploit) and retrieve data such as time of the file modification and in some cases will appear the user. However, this should not set enough proof to blame the user, as some infections may act in the same environment session of the user.

    In case you want to fully proctect the systems, you can use the registry editor and change the Permissions for that registry chain only to the Administrator. The path and key for disabling Sticky Keys is:
    HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys\Flags=”506″ (by default the value is 510)

    ----------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,871 Reputation points Microsoft Employee
    Jul 13, 2022, 12:13 PM

    It sounds something like the article described below. Possibly renaming cmd to utilman could expose cmd from Windows Key + U?

    https://www.technibble.com/bypass-windows-logons-utilman/

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.