Detect Accessibility Features in Elastic Security
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows has accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). Adversaries may replace or add code to these programs: sethc.exe (Sticky Keys, invoked with Shift x5), utilman.exe (Utility Manager, Win+U), osk.exe (On-Screen Keyboard), Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe. These programs may be replaced with a command shell (cmd.exe) or backdoor, or the Image File Execution Options (IFEO) debugger key can be used to trigger an arbitrary program instead of the accessibility feature, providing a SYSTEM shell at the logon screen without credentials.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.008 Accessibility Features
- Canonical reference
- https://attack.mitre.org/techniques/T1546/008/
Elastic Detection Query
any where (
(
event.category == "process" and
process.name : ("sethc.exe", "utilman.exe", "osk.exe", "Magnify.exe", "Narrator.exe", "DisplaySwitch.exe", "AtBroker.exe") and
not process.parent.name : ("winlogon.exe", "svchost.exe", "explorer.exe")
) or
(
event.category == "registry" and
event.type : ("creation", "change") and
registry.path : (
"*\\Image File Execution Options\\sethc.exe\\Debugger",
"*\\Image File Execution Options\\utilman.exe\\Debugger",
"*\\Image File Execution Options\\osk.exe\\Debugger",
"*\\Image File Execution Options\\Magnify.exe\\Debugger",
"*\\Image File Execution Options\\Narrator.exe\\Debugger",
"*\\Image File Execution Options\\DisplaySwitch.exe\\Debugger",
"*\\Image File Execution Options\\AtBroker.exe\\Debugger"
)
) or
(
event.category == "file" and
event.type : ("creation", "change") and
file.name : ("sethc.exe", "utilman.exe", "osk.exe", "Magnify.exe", "Narrator.exe", "DisplaySwitch.exe", "AtBroker.exe") and
file.path : ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")
)
)Detects T1546.008 Accessibility Features abuse via three vectors: (1) suspicious execution of accessibility binaries from non-standard parent processes, (2) IFEO Debugger registry key set on accessibility binaries enabling pre-logon backdoor access, and (3) direct file replacement of accessibility binaries in System32/SysWOW64. All three techniques provide SYSTEM-level shell access at the Windows logon screen without credentials.
Data Sources
Required Tables
False Positives & Tuning
- Windows Update or DISM operations legitimately replacing accessibility binaries during patch installation — verify initiating process is TrustedInstaller.exe and correlate with patch management events
- Third-party accessibility software vendors (e.g., ZoomText, JAWS, Dragon NaturallySpeaking) that wrap or replace built-in accessibility binaries — verify vendor signature on replacement file and presence of legitimate installer
- System repair operations using sfc.exe (System File Checker) or DISM restoring corrupted accessibility binaries — parent process will be sfc.exe or dism.exe with legitimate command-line arguments
Other platforms for T1546.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set IFEO Debugger on sethc.exe (Sticky Keys Backdoor)
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe. Security Event ID 4657 if registry auditing is enabled. Process creation for reg.exe.
- Test 2Set IFEO Debugger on utilman.exe (Utility Manager Backdoor)
Expected signal: Sysmon Event ID 13: TargetObject contains Image File Execution Options\utilman.exe\Debugger. Process creation for reg.exe. The combination of IFEO + accessibility binary + Debugger value is a critical detection signal.
- Test 3Scan for Existing Accessibility Feature Backdoors
Expected signal: Process creation for powershell.exe with the enumeration script. Registry read events (Sysmon 12 if monitoring access events) for Image File Execution Options keys. This command is detection-safe — read-only, no modifications.
References (5)
- https://attack.mitre.org/techniques/T1546/008/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md
- https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack.html
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation
Unlock Pro Content
Get the full detection package for T1546.008 including response playbook, investigation guide, and atomic red team tests.