Potential Privilege Escalation Using Symlink Between Osk and Cmd

Rule Info

Name

Potential Privilege Escalation Using Symlink Between Osk and Cmd

Author

frack113

Description

Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.

Reference

https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md

Date

2022-12-11 00:00:00

Modified

2022-12-20 00:00:00

e9b61244-893f-427c-b287-3e708f321c6b

Rule History

Author

Title

Date

Commit

Swachchhanda Shrawan Poudel

Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory

2025-11-26

c141859b8

Nasreddine Bencherchali

Merge PR #5719 from @nasbench - Add regression test CI, data and simulation links

2025-11-25

2cb7375c6

Nasreddine Bencherchali

Merge PR #4950 from @nasbench - Comply With v2 Spec Changes

2024-08-12

598d29f81

frack113

Merge PR #4479 From @frack113 - Upgrade Rules Status

2023-10-17

020fc8061

IntelScott

Update proc_creation_win_cmd_mklink_osk_cmd.yml

2023-08-29

8efc81a08

Nasreddine Bencherchali

feat: update cmd based rules

2023-03-07

1378cf6d7

Nasreddine Bencherchali

feat: more updates

2023-03-06

e3503d5d6

Florian Roth

docs: change modified date

2022-12-21

7e7cbe41c

Nasreddine Bencherchali

fix: rename files to follow convention

2022-12-20

6679347fe

Nasreddine Bencherchali

feat: multiple update and enhancements

2022-12-19

ba3e985be

frack113

Apply suggestions from code review

2022-12-12

d797bf0eb

frack113

Redcannary

2022-12-11

646d86147