Detect Accessibility Features in Google Chronicle
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows has accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). Adversaries may replace or add code to these programs: sethc.exe (Sticky Keys, invoked with Shift x5), utilman.exe (Utility Manager, Win+U), osk.exe (On-Screen Keyboard), Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe. These programs may be replaced with a command shell (cmd.exe) or backdoor, or the Image File Execution Options (IFEO) debugger key can be used to trigger an arbitrary program instead of the accessibility feature, providing a SYSTEM shell at the logon screen without credentials.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.008 Accessibility Features
- Canonical reference
- https://attack.mitre.org/techniques/T1546/008/
YARA-L Detection Query
rule accessibility_features_abuse_t1546_008 {
meta:
author = "Argus Detection Engineering"
description = "Detects T1546.008 - Accessibility Features abuse via IFEO debugger keys, binary replacement, or suspicious process execution providing pre-logon SYSTEM shell access"
severity = "CRITICAL"
priority = "HIGH"
mitre_attack_tactic = "Persistence, Privilege Escalation"
mitre_attack_technique = "T1546.008"
mitre_attack_url = "https://attack.mitre.org/techniques/T1546/008/"
rule_version = "1.0"
created = "2026-04-20"
events:
(
$process_exec.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($process_exec.target.process.file.full_path,
`(?i)(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe$`) and
not re.regex($process_exec.principal.process.file.full_path,
`(?i)(winlogon|svchost|explorer)\.exe$`)
)
or
(
$reg_mod.metadata.event_type = "REGISTRY_MODIFICATION" and
re.regex($reg_mod.target.registry.registry_key,
`(?i)\\Image File Execution Options\\(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe`) and
$reg_mod.target.registry.registry_value_name = /(?i)debugger/
)
or
(
$file_write.metadata.event_type = "FILE_CREATION" and
re.regex($file_write.target.file.full_path,
`(?i)\\(system32|syswow64)\\(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe$`)
)
condition:
$process_exec or $reg_mod or $file_write
}Chronicle YARA-L 2.0 rule detecting T1546.008 Accessibility Features persistence and privilege escalation. Monitors three distinct attack vectors using UDM event types: PROCESS_LAUNCH for accessibility binary execution with unexpected parent processes, REGISTRY_MODIFICATION for IFEO Debugger key creation targeting accessibility binaries, and FILE_CREATION for direct binary replacement in System32/SysWOW64. Any match triggers a CRITICAL alert given the pre-logon SYSTEM shell access these techniques provide.
Data Sources
Required Tables
False Positives & Tuning
- Windows Update TrustedInstaller service replacing accessibility binaries during cumulative patch installation — the principal.process.file.full_path will be TrustedInstaller.exe; add exclusion after verifying patch correlation in change management system
- Enterprise deployment tools such as SCCM or Intune deploying accessibility software that overwrites default accessibility binaries — validate by checking if event correlates with an active deployment task in the endpoint management console
- Accessibility technology vendors (e.g., Tobii Dynavox, Kurzweil) that register IFEO keys for legitimate application launching — maintain a Chronicle reference list of approved IFEO registry values and suppress known-good entries using Chronicle exclusion lists
Other platforms for T1546.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set IFEO Debugger on sethc.exe (Sticky Keys Backdoor)
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe. Security Event ID 4657 if registry auditing is enabled. Process creation for reg.exe.
- Test 2Set IFEO Debugger on utilman.exe (Utility Manager Backdoor)
Expected signal: Sysmon Event ID 13: TargetObject contains Image File Execution Options\utilman.exe\Debugger. Process creation for reg.exe. The combination of IFEO + accessibility binary + Debugger value is a critical detection signal.
- Test 3Scan for Existing Accessibility Feature Backdoors
Expected signal: Process creation for powershell.exe with the enumeration script. Registry read events (Sysmon 12 if monitoring access events) for Image File Execution Options keys. This command is detection-safe — read-only, no modifications.
References (5)
- https://attack.mitre.org/techniques/T1546/008/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md
- https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack.html
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation
Unlock Pro Content
Get the full detection package for T1546.008 including response playbook, investigation guide, and atomic red team tests.