persist via Windows accessibility tools

rule:
  meta:
    name: persist via Windows accessibility tools
    namespace: persistence/file-system
    authors:
      - j.j.vannielen@utwente.nl
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Persistence::Event Triggered Execution::Accessibility Features [T1546.008]
    references:
      - https://pentestlab.blog/2019/11/13/persistence-accessibility-features/
  features:
    - and:
      - or:
        - match: copy file
        - match: move file
        - match: write file on Windows
      - or:
        - string: /windows\\system32\\osk\.exe/i
        - string: /windows\\system32\\Magnify\.exe/i
        - string: /windows\\system32\\narator\.exe/i
        - string: /windows\\system32\\displayswitch\.exe/i
        - string: /windows\\system32\\atbroker\.exe/i
        - string: /windows\\system32\\sethc\.exe/i
        - string: /windows\\system32\\utilman\.exe/i