The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Sticky Keys Registry Backdoor

Description: Sticky Keys Registry Backdoor Query

What The Data Shows: Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)

SQL:

SELECT path,data,
datetime(mtime,"unixepoch","localtime") as mtime
FROM registry
WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%%'
AND name='Debugger';
2 Comments
kbrawley
Community Manager
Community Manager

Hi @stympanick thank you so much for your contribution!  We'll get this tested and if it runs as expected we'll update your submission from "Under Review" to "CB Approved".

Thanks again!

jnelson
Carbon Black Employee
Status changed to: Approved