Built off the open source project Osquery
Description: Sticky Keys Registry Backdoor Query
What The Data Shows: Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)
SELECT path,data,datetime(mtime,"unixepoch","localtime") as mtime FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%%' AND name='Debugger';
Hi @stympanick thank you so much for your contribution! We'll get this tested and if it runs as expected we'll update your submission from "Under Review" to "CB Approved".
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.