Accessibility Features on Windows can be abused as a privilege escalation or persistence mechanism.
This persistence works by switching out one of the binaries associated with Accessibility Features with cmd.exe or whatever malware you choose. After the binary is replaced, pressing the sequence of keys required to trigger the feature at the logon screen yields code execution as SYSTEM.
An example is replacing C:\Windows\System32\sethc.exe with cmd.exe. At the logon screen, pressing Shift 5 times will spawn cmd.exe as SYSTEM.
This technique also works over RDP and is a popular backup persistence method used at CTFs and by many threat actors due to its ease of implementation.
In practice, this technique is used to recover lost passwords. With physical access to the system, you can boot up an OS from USB, mount the computer’s physical disk, and make the required alterations. After rebooting the system, trigger the backdoor to get a shell as SYSTEM and use net.exe to change the user’s password.
Affected Programs
| Description | Executable | Keyboard Shortcut |
| Sticky Keys | sethc.exe | Shift 5 times |
| On-Screen Keyboard | osk.exe | Windows + Control + U |
| Utility Manager | utilman.exe | Windows + U |
| Display Switcher | DisplaySwitch.exe | Windows + P |
| App Switcher | AtBroker.exe | Alt + Tab |
| Magnifier | Magnify.exe | Windows + + |
| Narrator | Narrator.exe | Windows + Control + Enter |
Image File Execution Options
Alternatively, various Image File Execution Options features can be abused to achieve the same type of behavior.
For example, adding a Debugger value of C:\Windows\System32\cmd.exe to sethc.exe‘s key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe will also spawn cmd.exe as SYSTEM when you press Shift five times on the logon screen.
Detection
An easy way to determine if this technique has been used on a system is by comparing the hashes of the accessibility features executables with those of known good copies.
An easy way to verify this is by looking up each program’s hash on VirusTotal. If the hash on disk doesn’t match the filename provided by VirusTotal, it has probably been altered.
Some tools check for this technique by matching each accessibility tool against the hashes of cmd.exe or powershell.exe. If any of them are equal to cmd or powershell, this backdoor is likely present.
This is not the best strategy because other LOLBAS utilities such as ftp.exe can be used as an interactive shell instead of cmd.exe:
C:\Users\Daniel>ftp
ftp> !whoami
domain\daniel
ftp> !dir C:\
Volume in drive C is Windows
Volume Serial Number is PP5-1-D00D00
Directory of C:\
09/05/2021 01:39 PM <DIR> Program Files
08/31/2021 05:15 PM <DIR> Program Files (x86)
08/31/2021 05:17 PM <DIR> Tools
08/17/2021 06:31 PM <DIR> Users
08/26/2021 06:31 PM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 786,584,748,032 bytes free
Repairing Affected Systems
One way to repair this issue is by using the System File Checker: sfc.exe
Here, sfc.exe is ran against an unaltered file:
PS C:\Windows\system32> sfc /scanfile=C:\windows\system32\sethc.exe Windows Resource Protection did not find any integrity violations.
After replacing sethc.exe with cmd.exe, sfc.exe was able to repair it:
PS C:\Windows\system32> sfc /scanfile=C:\windows\system32\sethc.exe Windows Resource Protection found corrupt files and successfully repaired them. For online repairs, details are included in the CBS log file located at windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline repairs, details are included in the log file provided by the /OFFLOGFILE flag. The system file repair changes will take effect after the next reboot.
If this doesn’t work, another trick is to look for files with an extension of .bak, or .old that may have been created as backups.
DMFR SECURITY 