Accessibility Features Persistence

Accessibility Features on Windows can be abused as a privilege escalation or persistence mechanism.

This persistence works by switching out one of the binaries associated with Accessibility Features with cmd.exe or whatever malware you choose. After the binary is replaced, pressing the sequence of keys required to trigger the feature at the logon screen yields code execution as SYSTEM.

An example is replacing C:\Windows\System32\sethc.exe with cmd.exe. At the logon screen, pressing Shift 5 times will spawn cmd.exe as SYSTEM.

Sticky Keys…

This technique also works over RDP and is a popular backup persistence method used at CTFs and by many threat actors due to its ease of implementation.

In practice, this technique is used to recover lost passwords. With physical access to the system, you can boot up an OS from USB, mount the computer’s physical disk, and make the required alterations. After rebooting the system, trigger the backdoor to get a shell as SYSTEM and use net.exe to change the user’s password.

Affected Programs

DescriptionExecutableKeyboard Shortcut
Sticky Keyssethc.exeShift 5 times
On-Screen Keyboardosk.exeWindows + Control + U
Utility Managerutilman.exeWindows + U
Display SwitcherDisplaySwitch.exeWindows + P
App SwitcherAtBroker.exeAlt + Tab
MagnifierMagnify.exeWindows + +
NarratorNarrator.exeWindows + Control + Enter

Image File Execution Options

Alternatively, various Image File Execution Options features can be abused to achieve the same type of behavior.

For example, adding a Debugger value of C:\Windows\System32\cmd.exe to sethc.exe‘s key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe will also spawn cmd.exe as SYSTEM when you press Shift five times on the logon screen.


An easy way to determine if this technique has been used on a system is by comparing the hashes of the accessibility features executables with those of known good copies.

An easy way to verify this is by looking up each program’s hash on VirusTotal. If the hash on disk doesn’t match the filename provided by VirusTotal, it has probably been altered.

Some tools check for this technique by matching each accessibility tool against the hashes of cmd.exe or powershell.exe. If any of them are equal to cmd or powershell, this backdoor is likely present.

This is not the best strategy because other LOLBAS utilities such as ftp.exe can be used as an interactive shell instead of cmd.exe:

ftp> !whoami
ftp> !dir C:\
 Volume in drive C is Windows
 Volume Serial Number is PP5-1-D00D00

 Directory of C:\

09/05/2021  01:39 PM    <DIR>          Program Files
08/31/2021  05:15 PM    <DIR>          Program Files (x86)
08/31/2021  05:17 PM    <DIR>          Tools
08/17/2021  06:31 PM    <DIR>          Users
08/26/2021  06:31 PM    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)  786,584,748,032 bytes free

Repairing Affected Systems

One way to repair this issue is by using the System File Checker: sfc.exe

Here, sfc.exe is ran against an unaltered file:

PS C:\Windows\system32> sfc /scanfile=C:\windows\system32\sethc.exe

Windows Resource Protection did not find any integrity violations.

After replacing sethc.exe with cmd.exe, sfc.exe was able to repair it:

PS C:\Windows\system32> sfc /scanfile=C:\windows\system32\sethc.exe

Windows Resource Protection found corrupt files and successfully repaired them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

The system file repair changes will take effect after the next reboot.

If this doesn’t work, another trick is to look for files with an extension of .bak, or .old that may have been created as backups.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s