Sticky Keys

Hunt Hypothesis

The Sticky Keys detection identifies potential adversary use of a compromised service account for persistence and privilege escalation, commonly seen in ransomware attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage lateral movement and unauthorized access.

KQL Query

// Checks for possible hijacking of Sticky Keys feature 
AlertInfo | where Title == "Sticky Keys binary hijack detected"

Analytic Rule Definition

id: 3c82774a-df78-44eb-9ab3-13ef37c63ae4
name: Sticky Keys
description: |
  A technique used in numerous ransomware attacks is a Sticky Keys hijack for privilege escalation/persistence. Surface realted alerts with this query.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertInfo
tactics:
- Ransomware
query: |
  // Checks for possible hijacking of Sticky Keys feature 
  AlertInfo | where Title == "Sticky Keys binary hijack detected"

MITRE ATT&CK Context

• Tactic: Ransomware

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/Sticky Keys.yaml)

False Positive Guidance

• Scenario: Scheduled Task Execution with cmd.exe
  Description: A legitimate scheduled task runs cmd.exe to perform routine system maintenance or software updates.
  Filter/Exclusion: process.parent_process_name:"schtasks.exe" or process.parent_process_path:"C:\\Windows\\System32\\schtasks.exe"

• Scenario: Admin Task Using runas to Elevate Privileges
  Description: An administrator uses the runas command to execute a privileged task, such as configuring firewall rules or deploying patches.
  Filter/Exclusion: process.command_line:"runas /user:Administrator" or process.user:"Administrator"

• Scenario: PowerShell Script Execution with Start-Process
  Description: A PowerShell script uses Start-Process to launch a legitimate administrative tool, such as diskpart or netsh.
  Filter/Exclusion: process.command_line:"Start-Process -FilePath" or process.name:"powershell.exe" and process.parent_process_name:"explorer.exe"

• Scenario: User Launching cmd.exe for Script Execution
  Description: A user opens a command prompt to run a script for system cleanup or configuration, such as a batch file for log rotation.
  Filter/Exclusion: process.name:"cmd.exe" and process.parent_process_name:"explorer.exe" and process.user:"<legitimate_user>"

• Scenario: Security Tool or EDR Agent Performing Process Injection
  Description: A legitimate endpoint security tool or EDR agent injects code into a process for monitoring or remediation purposes.
  Filter/Exclusion: process.name:"<EDR_agent_process_name>" or process.parent_process_name:"<EDR_agent_process_name>"