From 3571a7ad88c37eb4f6853d78a6dc9d6f1183dc21 Mon Sep 17 00:00:00 2001
From: bohops <jimmy@jbtech.us>
Date: Sun, 15 May 2022 16:55:16 -0400
Subject: [PATCH] Create AccCheckConsole.yml (#187)

---
 yml/OtherMSBinaries/AccCheckConsole.yml | 37 +++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 yml/OtherMSBinaries/AccCheckConsole.yml

diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml
new file mode 100644
index 0000000..6c21705
--- /dev/null
+++ b/yml/OtherMSBinaries/AccCheckConsole.yml
@@ -0,0 +1,37 @@
+---
+Name: AccCheckConsole.exe
+Description: Verifies UI accessibility requirements
+Author: 'bohops'
+Created: 2022-01-02
+Commands:
+  - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
+    Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
+    Usecase: Local execution of managed code from assembly DLL.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows
+  - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
+    Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
+    Usecase: Local execution of managed code to bypass AppLocker.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe
+Code_Sample:
+  - Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines
+Detection:
+  - IOC: Sysmon Event ID 1 - Process Creation
+  - Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
+Resources:
+  - Link: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
+  - Link: https://twitter.com/bohops/status/1477717351017680899
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
+---