Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]
Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\, and it must be protected by Windows File or Resource Protection (WFP/WRP). [2] The Image File Execution Options Injection debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.
For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. [3]
Other accessibility features exist that may also be leveraged in a similar fashion: [2][4]
C:\Windows\System32\osk.exeC:\Windows\System32\Magnify.exeC:\Windows\System32\Narrator.exeC:\Windows\System32\DisplaySwitch.exeC:\Windows\System32\AtBroker.exe| ID | Name | Description |
|---|---|---|
| G0016 | APT29 |
APT29 used sticky-keys to obtain unauthenticated, privileged console access.[5][6] |
| G0022 | APT3 |
APT3 replaces the Sticky Keys binary |
| G0096 | APT41 | |
| G0001 | Axiom |
Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.[9] |
| G0009 | Deep Panda |
Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.[10] |
| S0363 | Empire |
Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.[11] |
| G0117 | Fox Kitten |
Fox Kitten has used sticky keys to launch a command prompt.[12] |
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
Adversaries can replace accessibility features binaries with alternate binaries to execute this technique. Identify and block potentially malicious software executed through accessibility features functionality by using application control [13] tools, like Windows Defender Application Control[14], AppLocker, [15] [16] or Software Restriction Policies [17] where appropriate. [18] |
| M1035 | Limit Access to Resource Over Network |
If possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network.[19] |
| M1028 | Operating System Configuration |
To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later.[20] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of Accessibility Features. |
| DS0022 | File | File Creation |
Monitor newly constructed files that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. |
| File Modification |
Monitor for changes made to files that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. |
||
| DS0009 | Process | Process Creation |
Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe. Several accessibility programs can be run using the Ease of Access center
One simple way to implement this technique is to note that in a default Windows configuration there are no spaces in the path to the system32 folder. If the accessibility programs are ever run with a Debugger set, then Windows will launch the Debugger process and append the command line to the accessibility program. As a result, a space is inserted in the command line before the path. Looking for any instances of a space in the command line before the name of an accessibility program will help identify when Debuggers are set. The Windows Registry location HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic example looks for any creation of common accessibility processes such as sethc.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the parent process) that helps reduce false positives. Analytic 2 could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility. Analytic 1 - Command Launched from Winlogon
Analytic 2 - Debuggers for Accessibility Applications
|
| DS0024 | Windows Registry | Windows Registry Key Modification |
Monitor Registry keys within |