StickyKeys File Replace Backdoor

Checks the hashes of accessibility tools to ensure they don't match the hashes of cmd.exe, powershell.exe, or explorer.exe. More info: (https://github.com/TrullJ/sticky-keys-scanner/blob/master/TestFor-StickyKey.ps1):

Query

SELECT * FROM hash WHERE (path='c:\windows\system32\osk.exe' OR path='c:\windows\system32\sethc.exe' OR path='c:\windows\system32\narrator.exe' OR path='c:\windows\system32\magnify.exe' OR path='c:\windows\system32\displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:\windows\system32\cmd.exe' OR path='c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' OR path='c:\windows\system32\explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';

Additional Query Info

• Version: 2.2.1
• Interval: 3600

JSON

{
  "queries": {
    "StickyKeys File Replace Backdoor": {
      "query": "SELECT * FROM hash WHERE (path='c:\windows\system32\osk.exe' OR path='c:\windows\system32\sethc.exe' OR path='c:\windows\system32\narrator.exe' OR path='c:\windows\system32\magnify.exe' OR path='c:\windows\system32\displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:\windows\system32\cmd.exe' OR path='c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' OR path='c:\windows\system32\explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';",
      "interval": "3600",
      "platform": "",
      "version": "2.2.1",
      "description": "Checks the hashes of accessibility tools to ensure they don't match the hashes of cmd.exe, powershell.exe, or explorer.exe. More info: (https://github.com/TrullJ/sticky-keys-scanner/blob/master/TestFor-StickyKey.ps1)",
      "value": ""
    }
  }
}