Detect Accessibility Features in CrowdStrike LogScale
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows has accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). Adversaries may replace or add code to these programs: sethc.exe (Sticky Keys, invoked with Shift x5), utilman.exe (Utility Manager, Win+U), osk.exe (On-Screen Keyboard), Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe. These programs may be replaced with a command shell (cmd.exe) or backdoor, or the Image File Execution Options (IFEO) debugger key can be used to trigger an arbitrary program instead of the accessibility feature, providing a SYSTEM shell at the logon screen without credentials.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.008 Accessibility Features
- Canonical reference
- https://attack.mitre.org/techniques/T1546/008/
LogScale Detection Query
// T1546.008 - Accessibility Features Abuse Detection
// Vector 1: Accessibility binary execution from suspicious parent
(#event_simpleName = "ProcessRollup2" OR #event_simpleName = "SyntheticProcessRollup2")
| ImageFileName = /(?i)(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe$/
| ParentBaseFileName != /(?i)(winlogon|svchost|explorer)\.exe$/
| DetectionType := "ACCESSIBILITY_BINARY_LAUNCHED"
| Severity := "HIGH"
// Union: Vector 2 - IFEO Debugger registry key set on accessibility binary
| union [
#event_simpleName = "RegSetValue"
| TargetPath = /(?i)\\Image File Execution Options\\(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe/
| TargetValueName = /(?i)^debugger$/
| DetectionType := "IFEO_DEBUGGER_SET"
| Severity := "CRITICAL"
]
// Union: Vector 3 - Accessibility binary written to System32 or SysWOW64
| union [
#event_simpleName = "PeFileWritten"
| TargetFileName = /(?i)(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe$/
| TargetDirectoryName = /(?i)(system32|syswow64)/
| DetectionType := "SYSTEM_FILE_MODIFIED"
| Severity := "CRITICAL"
]
| select([@timestamp, ComputerName, UserName, DetectionType, Severity,
ImageFileName, CommandLine, ParentBaseFileName,
TargetPath, TargetValueName, TargetFileName, TargetDirectoryName])
| sort(@timestamp, order=desc)CrowdStrike LogScale (Falcon) detection for T1546.008 using three correlated CQL sub-queries joined via union. Monitors ProcessRollup2/SyntheticProcessRollup2 events for accessibility binary execution from unexpected parent processes, RegSetValue events for IFEO Debugger key creation targeting accessibility binaries, and PeFileWritten events for direct accessibility binary replacement in protected Windows directories. Severity classification differentiates pre-condition setup (CRITICAL) from active exploitation attempts (HIGH).
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself may generate PeFileWritten events when Windows Update replaces accessibility binaries — correlate with TrustedInstaller.exe as the writing process and suppress using a LogScale lookup referencing approved update hashes
- Enterprise software deployment via CrowdStrike RTR or third-party tools that copy accessibility binary replacements as part of authorized accessibility software rollout — verify by checking UserName against service accounts used for software deployment and correlating with change window
- Forensic or incident response tooling that reads and restores accessibility binary backups from a previous known-good state — identify by UserName matching IR team accounts and correlate with an active investigation case number in your ticketing system
Other platforms for T1546.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set IFEO Debugger on sethc.exe (Sticky Keys Backdoor)
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe. Security Event ID 4657 if registry auditing is enabled. Process creation for reg.exe.
- Test 2Set IFEO Debugger on utilman.exe (Utility Manager Backdoor)
Expected signal: Sysmon Event ID 13: TargetObject contains Image File Execution Options\utilman.exe\Debugger. Process creation for reg.exe. The combination of IFEO + accessibility binary + Debugger value is a critical detection signal.
- Test 3Scan for Existing Accessibility Feature Backdoors
Expected signal: Process creation for powershell.exe with the enumeration script. Registry read events (Sysmon 12 if monitoring access events) for Image File Execution Options keys. This command is detection-safe — read-only, no modifications.
References (5)
- https://attack.mitre.org/techniques/T1546/008/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md
- https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack.html
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation
Unlock Pro Content
Get the full detection package for T1546.008 including response playbook, investigation guide, and atomic red team tests.