Built off the open source project Osquery
Description: Sticky Keys Registry Backdoor Query
What The Data Shows: Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)
SQL:
SELECT path,data,
datetime(mtime,"unixepoch","localtime") as mtime
FROM registry
WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%%'
AND name='Debugger';
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.