StickyKeys Registry Backdoor

Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/):

Query

SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%%' and name='Debugger';

Additional Query Info

• Version: 2.2.1
• Interval: 3600

JSON

{
  "queries": {
    "StickyKeys Registry Backdoor": {
      "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%%' and name='Debugger';",
      "interval": "3600",
      "platform": "",
      "version": "2.2.1",
      "description": "Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)",
      "value": ""
    }
  }
}