F026MEDIUMSuspiciousvalidator: passed
Image File Execution Options debugger on sethc.exe
Sticky Keys IFEO debugger persistence (sethc.exe)
Analyst narrative
candidate cand-0102: registry persistence sets a Debugger value on sethc.exe under IFEO - a classic accessibility-feature backdoor for privilege escalation/persistence. fact_ids=registry_persistence_fact-0003198
Claims asserted
pathhklm/software/microsoft/windows nt/currentversion/image file execution options/sethc.exe/debuggerparse_event_logs
Proof chain · 1 fact
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
⌘registry persistence factreg:hklm/software/microsoft/windows nt/currentversion/image file execution options/sethc.exeparse_registry_persistence›
registry persistence fact
reg:hklm/software/microsoft/windows nt/currentversion/image file execution options/sethc.exeparse_registry_persistence
Raw tool output · d9ff23e61d2fe1edadc6b97e096d01abcf1b5ac1
{"tool": "parse_registry_persistence", "source_hive": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SOFTWARE", "hive_type": "SOFTWARE", "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe", "value_name": "Debugger", "value_data": "C:\\Windows\\System32\\cmd.exe", "value_type": "REG_SZ", "value_data_truncated": false, "is_default": false, "persistence_type": "ifeo", "control_set": null, "is_active_controlset": null, "user_profile": null, "last_write_time": "2018-09-04T22:56:12.793392+00:00", "evidence_type": "registry_persiSource tools
parse_event_logs