bohops/AccCheckConsole.txt

## AccCheckConsole.txt
*Purpose
 - UI Accessibility Checker
 - Verifies UI accessibility requirements

*LOLBIN Functionality/Steps
 1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
 2) Add proper assembly references (e.g. AccCheck.dll)
 3) Insert your C# code under a target method such as Execute()
 4) Compile to a .NET managed library (DLL)
 5) Invoke the code
   a) There are several ways to do this. Easiest is to specify a program window name (e.g. you are going to get a handle to this).
      For POC, I'd recommend just opening notepad.exe and using the default Window name - "Untitled - Notepad"
   b) Run the following command:

   AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll

*LOLBAS Categories
 - Other MS Binary
 - Execute
 - AWL Bypass (AppLocker)

*Location(s)
 - From Windows SDK
 - C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker
 - C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker
 - c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker
 - c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker
 - (Other locations likely depending on SDK version and architecture)

*Testing
 - Windows 10 Pro
 - Windows 10 Enterprise
 - Windows 11 Enterprise

*Detection/Prevention
 - Quick KQL Search: process.name:"AccCheckConsole.exe" and process.command_line: *window* and process.args_count > 3
 - WDAC blocks execution of unsigned DLL

*References:
  - General: https://docs.microsoft.com/en-us/windows/win32/winauto/ui-accessibility-checker
  - AccCheckConsole: https://docs.microsoft.com/en-us/windows/win32/winauto/the-accchecker-console
  - Custom Verification Routines: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines
	*Purpose
	- UI Accessibility Checker
	- Verifies UI accessibility requirements

	*LOLBIN Functionality/Steps
	1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
	2) Add proper assembly references (e.g. AccCheck.dll)
	3) Insert your C# code under a target method such as Execute()
	4) Compile to a .NET managed library (DLL)
	5) Invoke the code
	a) There are several ways to do this. Easiest is to specify a program window name (e.g. you are going to get a handle to this).
	For POC, I'd recommend just opening notepad.exe and using the default Window name - "Untitled - Notepad"
	b) Run the following command:

	AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll

	*LOLBAS Categories
	- Other MS Binary
	- Execute
	- AWL Bypass (AppLocker)

	*Location(s)
	- From Windows SDK
	- C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker
	- C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker
	- c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker
	- c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker
	- (Other locations likely depending on SDK version and architecture)

	*Testing
	- Windows 10 Pro
	- Windows 10 Enterprise
	- Windows 11 Enterprise

	*Detection/Prevention
	- Quick KQL Search: process.name:"AccCheckConsole.exe" and process.command_line: window and process.args_count > 3
	- WDAC blocks execution of unsigned DLL

	*References:
	- General: https://docs.microsoft.com/en-us/windows/win32/winauto/ui-accessibility-checker
	- AccCheckConsole: https://docs.microsoft.com/en-us/windows/win32/winauto/the-accchecker-console
	- Custom Verification Routines: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines