T1546.008

Accessibility Features

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows has accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). Adversaries may replace or add code to these programs: sethc.exe (Sticky Keys, invoked with Shift x5), utilman.exe (Utility Manager, Win+U), osk.exe (On-Screen Keyboard), Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe. These programs may be replaced with a command shell (cmd.exe) or backdoor, or the Image File Execution Options (IFEO) debugger key can be used to trigger an arbitrary program instead of the accessibility feature, providing a SYSTEM shell at the logon screen without credentials.

Microsoft Sentinel / Defender

kusto

let AccessibilityBinaries = dynamic([
    "sethc.exe", "utilman.exe", "osk.exe", "Magnify.exe",
    "Narrator.exe", "DisplaySwitch.exe", "AtBroker.exe"
  ]);
let AccessibilityAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (AccessibilityBinaries)
| where InitiatingProcessFileName !in~ ("winlogon.exe", "svchost.exe")
   or AccountName == "SYSTEM" and InitiatingProcessFileName =~ "winlogon.exe"
| extend SuspiciousParent = InitiatingProcessFileName !in~ ("winlogon.exe", "svchost.exe", "explorer.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, SuspiciousParent;
let IFEORegistry = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Image File Execution Options"
| where RegistryValueName =~ "Debugger"
| where RegistryKey has_any (AccessibilityBinaries)
| project RegistryTime=Timestamp, DeviceName, AccountName, RegistryKey,
         RegistryValueName, RegistryValueData,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
let BinaryReplacement = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName in~ (AccessibilityBinaries)
| where FolderPath has_any ("C:\\Windows\\System32\\", "C:\\Windows\\SysWOW64\\")
| where ActionType in ("FileCreated", "FileModified")
| project FileTime=Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName;
union AccessibilityAbuse, (IFEORegistry | extend FileTime=RegistryTime),
      (BinaryReplacement | extend RegistryTime=FileTime)
| sort by Timestamp desc, RegistryTime desc, FileTime desc

critical severity high confidence

Data Sources

Windows Registry: Registry Key Modification Process: Process Creation File: File Creation File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents DeviceFileEvents

False Positives

Accessibility software testing by QA teams that invoke accessibility features as part of test automation
Assistive technology configuration that legitimately modifies accessibility feature behavior for users with disabilities
Remote desktop sessions where accessibility features are launched by the remote desktop client
Security testing and penetration testing exercises that specifically test this known technique

Elastic Security (EQL)

eql

any where (
  (
    event.category == "process" and
    process.name : ("sethc.exe", "utilman.exe", "osk.exe", "Magnify.exe", "Narrator.exe", "DisplaySwitch.exe", "AtBroker.exe") and
    not process.parent.name : ("winlogon.exe", "svchost.exe", "explorer.exe")
  ) or
  (
    event.category == "registry" and
    event.type : ("creation", "change") and
    registry.path : (
      "*\\Image File Execution Options\\sethc.exe\\Debugger",
      "*\\Image File Execution Options\\utilman.exe\\Debugger",
      "*\\Image File Execution Options\\osk.exe\\Debugger",
      "*\\Image File Execution Options\\Magnify.exe\\Debugger",
      "*\\Image File Execution Options\\Narrator.exe\\Debugger",
      "*\\Image File Execution Options\\DisplaySwitch.exe\\Debugger",
      "*\\Image File Execution Options\\AtBroker.exe\\Debugger"
    )
  ) or
  (
    event.category == "file" and
    event.type : ("creation", "change") and
    file.name : ("sethc.exe", "utilman.exe", "osk.exe", "Magnify.exe", "Narrator.exe", "DisplaySwitch.exe", "AtBroker.exe") and
    file.path : ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")
  )
)

critical severity high confidence

Data Sources

Elastic Endpoint Security (endpoint) Elastic Defend integration Windows Event Logs via Filebeat (winlogbeat) Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Windows Update or DISM operations legitimately replacing accessibility binaries during patch installation — verify initiating process is TrustedInstaller.exe and correlate with patch management events
Third-party accessibility software vendors (e.g., ZoomText, JAWS, Dragon NaturallySpeaking) that wrap or replace built-in accessibility binaries — verify vendor signature on replacement file and presence of legitimate installer
System repair operations using sfc.exe (System File Checker) or DISM restoring corrupted accessibility binaries — parent process will be sfc.exe or dism.exe with legitimate command-line arguments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username AS user_name,
  sourceip AS source_ip,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Parent Process Name" AS parent_process,
  "Command Line" AS command_line,
  "Target Object" AS registry_or_file_target,
  CASE
    WHEN "Target Object" ILIKE '%Image File Execution Options%' AND LOWER("Target Object") MATCHES '.*debugger.*' THEN 'IFEO_DEBUGGER_SET'
    WHEN QIDNAME(qid) ILIKE '%file%' AND LOWER("Target Object") MATCHES '.*(system32|syswow64).*' THEN 'SYSTEM_FILE_MODIFIED'
    ELSE 'ACCESSIBILITY_BINARY_LAUNCHED'
  END AS detection_type,
  CASE
    WHEN "Target Object" ILIKE '%Image File Execution Options%' AND LOWER("Target Object") MATCHES '.*debugger.*' THEN 'CRITICAL'
    WHEN QIDNAME(qid) ILIKE '%file%' AND LOWER("Target Object") MATCHES '.*(system32|syswow64).*' THEN 'CRITICAL'
    ELSE 'HIGH'
  END AS severity
FROM events
WHERE devicetime > NOW() - 86400000
  AND (
    (
      LOGSOURCETYPEID(logsourceid) IN (119, 144, 352, 368)
      AND LOWER("Process Name") MATCHES '.*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe'
      AND LOWER("Parent Process Name") NOT MATCHES '.*(winlogon|svchost|explorer)\.exe'
    )
    OR
    (
      LOGSOURCETYPEID(logsourceid) IN (119, 144, 352, 368)
      AND "Target Object" ILIKE '%Image File Execution Options%'
      AND LOWER("Target Object") MATCHES '.*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe'
      AND LOWER("Target Object") MATCHES '.*debugger.*'
    )
    OR
    (
      LOGSOURCETYPEID(logsourceid) IN (119, 144, 352, 368)
      AND LOWER("Target Object") MATCHES '.*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe'
      AND LOWER("Target Object") MATCHES '.*(system32|syswow64).*'
      AND CATEGORYNAME(category) ILIKE '%file%'
    )
  )
ORDER BY devicetime DESC

critical severity high confidence

Data Sources

IBM QRadar SIEM Windows Sysmon log source (LOGSOURCETYPEID 119) Windows Security Event log source (LOGSOURCETYPEID 144) Microsoft Windows Event Log (LOGSOURCETYPEID 352) Sysmon for Linux (LOGSOURCETYPEID 368)

Required Tables

events

False Positives

Windows Update mechanisms (wuauclt.exe, TiWorker.exe, TrustedInstaller.exe) replacing accessibility binaries during cumulative update installation — whitelist by verifying parent process is TrustedInstaller and cross-referencing with Windows Update log source events
Enterprise accessibility tools such as Nuance Dragon or Freedom Scientific JAWS that hook into or replace accessibility features for enhanced functionality — validate by checking software inventory and digital signature of the replacement binary
Microsoft Intune or SCCM remediation tasks that restore corrupted system files — correlate with change management ticket and verify initiating process is ccmexec.exe or IntuneManagementExtension.exe with expected deployment hash

Sumo Logic CSE

sql

_sourceCategory=*windows*
| where (%"sourcetype" = "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR %"sourcetype" = "WinEventLog:Security")
| parse "EventID=*" as EventID nodrop
| parse "Image=*" as Image nodrop
| parse "ParentImage=*" as ParentImage nodrop
| parse "CommandLine=*" as CommandLine nodrop
| parse "TargetObject=*" as TargetObject nodrop
| parse "TargetFilename=*" as TargetFilename nodrop
| parse "Computer=*" as Computer nodrop
| parse "User=*" as User nodrop
| parse "Details=*" as RegistryDetails nodrop
| where (
    (
      matches(toLowerCase(Image), "*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker).exe*") AND
      !matches(toLowerCase(ParentImage), "*(winlogon|svchost|explorer).exe*")
    ) OR
    (
      EventID in ("12", "13") AND
      matches(TargetObject, "*Image File Execution Options*") AND
      matches(toLowerCase(TargetObject), "*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker).exe*") AND
      matches(toLowerCase(TargetObject), "*debugger*")
    ) OR
    (
      EventID = "11" AND
      matches(toLowerCase(TargetFilename), "*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker).exe*") AND
      matches(toLowerCase(TargetFilename), "*(system32|syswow64)*")
    )
  )
| eval DetectionType = if(matches(toLowerCase(TargetObject), "*debugger*"), "IFEO_DEBUGGER_SET",
    if(EventID = "11", "SYSTEM_FILE_MODIFIED", "ACCESSIBILITY_BINARY_LAUNCHED"))
| eval Severity = if(DetectionType = "IFEO_DEBUGGER_SET", "CRITICAL",
    if(DetectionType = "SYSTEM_FILE_MODIFIED", "CRITICAL", "HIGH"))
| fields _messageTime, Computer, User, EventID, DetectionType, Severity, TargetObject, TargetFilename, Image, CommandLine, RegistryDetails
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Sysmon (XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) Windows Security Event Log (WinEventLog:Security) Sumo Logic Windows Event Log Source

Required Tables

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Windows servicing stack updates using TrustedInstaller.exe replacing accessibility binaries — filter by checking if parent process is TrustedInstaller.exe and correlating event timing with Windows Update scheduled windows
Vendor-specific assistive technology software that legitimately replaces or wraps accessibility features — maintain an approved software inventory and suppress based on known-good hash values via Sumo Logic lookup tables
IT helpdesk remote session tools (TeamViewer, AnyDesk) that interact with accessibility features for remote support — identify by correlating with ServiceDesk ticket activity and verifying process digital signature chain

Google Chronicle / SecOps

yaral

rule accessibility_features_abuse_t1546_008 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1546.008 - Accessibility Features abuse via IFEO debugger keys, binary replacement, or suspicious process execution providing pre-logon SYSTEM shell access"
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1546.008"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1546/008/"
    rule_version = "1.0"
    created = "2026-04-20"

  events:
    (
      $process_exec.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($process_exec.target.process.file.full_path,
        `(?i)(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe$`) and
      not re.regex($process_exec.principal.process.file.full_path,
        `(?i)(winlogon|svchost|explorer)\.exe$`)
    )
    or
    (
      $reg_mod.metadata.event_type = "REGISTRY_MODIFICATION" and
      re.regex($reg_mod.target.registry.registry_key,
        `(?i)\\Image File Execution Options\\(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe`) and
      $reg_mod.target.registry.registry_value_name = /(?i)debugger/
    )
    or
    (
      $file_write.metadata.event_type = "FILE_CREATION" and
      re.regex($file_write.target.file.full_path,
        `(?i)\\(system32|syswow64)\\(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe$`)
    )

  condition:
    $process_exec or $reg_mod or $file_write
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Chronicle UDM (Unified Data Model) Windows Event Logs via Chronicle forwarder Sysmon via Chronicle Windows forwarder Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM Events (process_launch) UDM Events (registry_modification) UDM Events (file_creation)

False Positives

Windows Update TrustedInstaller service replacing accessibility binaries during cumulative patch installation — the principal.process.file.full_path will be TrustedInstaller.exe; add exclusion after verifying patch correlation in change management system
Enterprise deployment tools such as SCCM or Intune deploying accessibility software that overwrites default accessibility binaries — validate by checking if event correlates with an active deployment task in the endpoint management console
Accessibility technology vendors (e.g., Tobii Dynavox, Kurzweil) that register IFEO keys for legitimate application launching — maintain a Chronicle reference list of approved IFEO registry values and suppress known-good entries using Chronicle exclusion lists

CrowdStrike LogScale (CQL)

cql

// T1546.008 - Accessibility Features Abuse Detection
// Vector 1: Accessibility binary execution from suspicious parent
(#event_simpleName = "ProcessRollup2" OR #event_simpleName = "SyntheticProcessRollup2")
| ImageFileName = /(?i)(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe$/
| ParentBaseFileName != /(?i)(winlogon|svchost|explorer)\.exe$/
| DetectionType := "ACCESSIBILITY_BINARY_LAUNCHED"
| Severity := "HIGH"

// Union: Vector 2 - IFEO Debugger registry key set on accessibility binary
| union [
  #event_simpleName = "RegSetValue"
  | TargetPath = /(?i)\\Image File Execution Options\\(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe/
  | TargetValueName = /(?i)^debugger$/
  | DetectionType := "IFEO_DEBUGGER_SET"
  | Severity := "CRITICAL"
]

// Union: Vector 3 - Accessibility binary written to System32 or SysWOW64
| union [
  #event_simpleName = "PeFileWritten"
  | TargetFileName = /(?i)(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe$/
  | TargetDirectoryName = /(?i)(system32|syswow64)/
  | DetectionType := "SYSTEM_FILE_MODIFIED"
  | Severity := "CRITICAL"
]

| select([@timestamp, ComputerName, UserName, DetectionType, Severity,
          ImageFileName, CommandLine, ParentBaseFileName,
          TargetPath, TargetValueName, TargetFileName, TargetDirectoryName])
| sort(@timestamp, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike LogScale (Humio) Falcon Sensor telemetry (ProcessRollup2, RegSetValue, PeFileWritten) CrowdStrike Falcon Data Replicator (FDR)

Required Tables

ProcessRollup2 SyntheticProcessRollup2 RegSetValue PeFileWritten

False Positives

CrowdStrike Falcon sensor itself may generate PeFileWritten events when Windows Update replaces accessibility binaries — correlate with TrustedInstaller.exe as the writing process and suppress using a LogScale lookup referencing approved update hashes
Enterprise software deployment via CrowdStrike RTR or third-party tools that copy accessibility binary replacements as part of authorized accessibility software rollout — verify by checking UserName against service accounts used for software deployment and correlating with change window
Forensic or incident response tooling that reads and restores accessibility binary backups from a previous known-good state — identify by UserName matching IR team accounts and correlate with an active investigation case number in your ticketing system

Last updated: 2026-04-20 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1546.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1546Event Triggered Execution

Related Sub-techniques

T1546.001Change Default File Association T1546.002Screensaver T1546.003Windows Management Instrumentation Event Subscription T1546.004Unix Shell Configuration Modification T1546.005Trap T1546.006LC_LOAD_DYLIB Addition T1546.007Netsh Helper DLL T1546.009AppCert DLLs T1546.010AppInit DLLs T1546.011Application Shimming T1546.012Image File Execution Options Injection T1546.013PowerShell Profile T1546.014Emond T1546.015Component Object Model Hijacking T1546.016Installer Packages T1546.017Udev Rules T1546.018Python Startup Hooks

Accessibility Features

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections