Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)
Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The Image File Execution Options Injection debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.
For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement provides protection from Accessibility Features through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement protects against Accessibility Features through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement protects against Accessibility Features through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1546.008 | Accessibility Features | |
| CM-10 | Software Usage Restrictions | mitigates | T1546.008 | Accessibility Features | |
| SI-10 | Information Input Validation | mitigates | T1546.008 | Accessibility Features | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1546.008 | Accessibility Features | |
| CM-07 | Least Functionality | mitigates | T1546.008 | Accessibility Features | |
| SI-04 | System Monitoring | mitigates | T1546.008 | Accessibility Features |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Alter behavior | Influence or alter human behavior | related-to | T1546.008 | Accessibility Features |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1546.008 | Accessibility Features |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can leverage WMI debugging to remotely replace binaries like seth.exe, utilman.exe, and magnify.exe with cmd.exe, but does not address other procedures.
References
|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1546.008 | Accessibility Features |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1546.008 | Accessibility Features |
Comments
This control may detect when the binary for the sticky keys utility has been replaced, possibly to gain persistence or execution. The following alerts may be generated: "Sticky keys attack detected".
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1546.008 | Accessibility Features |
Comments
Google Security Ops is able to trigger an alert based off suspicious system processes that indicate usage and installation of a backdoor using built-in tools that are accessible from the login screen (e.g., sticky-keys attack).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/sticky_key_like_backdoor_usage.yaral
References
|