Last active
February 28, 2024 19:15
-
-
Save bohops/2444129419c8acf837aedda5f0e7f340 to your computer and use it in GitHub Desktop.
AccChecker LOLBIN [AccCheckConsole.exe]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*Purpose | |
- UI Accessibility Checker | |
- Verifies UI accessibility requirements | |
*LOLBIN Functionality/Steps | |
1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio. | |
2) Add proper assembly references (e.g. AccCheck.dll) | |
3) Insert your C# code under a target method such as Execute() | |
4) Compile to a .NET managed library (DLL) | |
5) Invoke the code | |
a) There are several ways to do this. Easiest is to specify a program window name (e.g. you are going to get a handle to this). | |
For POC, I'd recommend just opening notepad.exe and using the default Window name - "Untitled - Notepad" | |
b) Run the following command: | |
AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll | |
*LOLBAS Categories | |
- Other MS Binary | |
- Execute | |
- AWL Bypass (AppLocker) | |
*Location(s) | |
- From Windows SDK | |
- C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker | |
- C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker | |
- c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker | |
- c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker | |
- (Other locations likely depending on SDK version and architecture) | |
*Testing | |
- Windows 10 Pro | |
- Windows 10 Enterprise | |
- Windows 11 Enterprise | |
*Detection/Prevention | |
- Quick KQL Search: process.name:"AccCheckConsole.exe" and process.command_line: *window* and process.args_count > 3 | |
- WDAC blocks execution of unsigned DLL | |
*References: | |
- General: https://docs.microsoft.com/en-us/windows/win32/winauto/ui-accessibility-checker | |
- AccCheckConsole: https://docs.microsoft.com/en-us/windows/win32/winauto/the-accchecker-console | |
- Custom Verification Routines: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment