Detect Accessibility Features in IBM QRadar
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows has accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). Adversaries may replace or add code to these programs: sethc.exe (Sticky Keys, invoked with Shift x5), utilman.exe (Utility Manager, Win+U), osk.exe (On-Screen Keyboard), Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe. These programs may be replaced with a command shell (cmd.exe) or backdoor, or the Image File Execution Options (IFEO) debugger key can be used to trigger an arbitrary program instead of the accessibility feature, providing a SYSTEM shell at the logon screen without credentials.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.008 Accessibility Features
- Canonical reference
- https://attack.mitre.org/techniques/T1546/008/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username AS user_name,
sourceip AS source_ip,
QIDNAME(qid) AS event_name,
"Process Name" AS process_name,
"Parent Process Name" AS parent_process,
"Command Line" AS command_line,
"Target Object" AS registry_or_file_target,
CASE
WHEN "Target Object" ILIKE '%Image File Execution Options%' AND LOWER("Target Object") MATCHES '.*debugger.*' THEN 'IFEO_DEBUGGER_SET'
WHEN QIDNAME(qid) ILIKE '%file%' AND LOWER("Target Object") MATCHES '.*(system32|syswow64).*' THEN 'SYSTEM_FILE_MODIFIED'
ELSE 'ACCESSIBILITY_BINARY_LAUNCHED'
END AS detection_type,
CASE
WHEN "Target Object" ILIKE '%Image File Execution Options%' AND LOWER("Target Object") MATCHES '.*debugger.*' THEN 'CRITICAL'
WHEN QIDNAME(qid) ILIKE '%file%' AND LOWER("Target Object") MATCHES '.*(system32|syswow64).*' THEN 'CRITICAL'
ELSE 'HIGH'
END AS severity
FROM events
WHERE devicetime > NOW() - 86400000
AND (
(
LOGSOURCETYPEID(logsourceid) IN (119, 144, 352, 368)
AND LOWER("Process Name") MATCHES '.*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe'
AND LOWER("Parent Process Name") NOT MATCHES '.*(winlogon|svchost|explorer)\.exe'
)
OR
(
LOGSOURCETYPEID(logsourceid) IN (119, 144, 352, 368)
AND "Target Object" ILIKE '%Image File Execution Options%'
AND LOWER("Target Object") MATCHES '.*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe'
AND LOWER("Target Object") MATCHES '.*debugger.*'
)
OR
(
LOGSOURCETYPEID(logsourceid) IN (119, 144, 352, 368)
AND LOWER("Target Object") MATCHES '.*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe'
AND LOWER("Target Object") MATCHES '.*(system32|syswow64).*'
AND CATEGORYNAME(category) ILIKE '%file%'
)
)
ORDER BY devicetime DESCQRadar AQL detection for T1546.008 covering accessibility binary execution from suspicious parents, IFEO Debugger registry key modification on accessibility binaries, and direct file replacement in protected system directories. Uses LOGSOURCETYPEID filtering for Windows Sysmon (119) and Windows Security (144) log sources with AQL MATCHES for regex pattern detection across all three attack vectors.
Data Sources
Required Tables
False Positives & Tuning
- Windows Update mechanisms (wuauclt.exe, TiWorker.exe, TrustedInstaller.exe) replacing accessibility binaries during cumulative update installation — whitelist by verifying parent process is TrustedInstaller and cross-referencing with Windows Update log source events
- Enterprise accessibility tools such as Nuance Dragon or Freedom Scientific JAWS that hook into or replace accessibility features for enhanced functionality — validate by checking software inventory and digital signature of the replacement binary
- Microsoft Intune or SCCM remediation tasks that restore corrupted system files — correlate with change management ticket and verify initiating process is ccmexec.exe or IntuneManagementExtension.exe with expected deployment hash
Other platforms for T1546.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set IFEO Debugger on sethc.exe (Sticky Keys Backdoor)
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe. Security Event ID 4657 if registry auditing is enabled. Process creation for reg.exe.
- Test 2Set IFEO Debugger on utilman.exe (Utility Manager Backdoor)
Expected signal: Sysmon Event ID 13: TargetObject contains Image File Execution Options\utilman.exe\Debugger. Process creation for reg.exe. The combination of IFEO + accessibility binary + Debugger value is a critical detection signal.
- Test 3Scan for Existing Accessibility Feature Backdoors
Expected signal: Process creation for powershell.exe with the enumeration script. Registry read events (Sysmon 12 if monitoring access events) for Image File Execution Options keys. This command is detection-safe — read-only, no modifications.
References (5)
- https://attack.mitre.org/techniques/T1546/008/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md
- https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack.html
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation
Unlock Pro Content
Get the full detection package for T1546.008 including response playbook, investigation guide, and atomic red team tests.