Detect Accessibility Features in Microsoft Sentinel
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows has accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). Adversaries may replace or add code to these programs: sethc.exe (Sticky Keys, invoked with Shift x5), utilman.exe (Utility Manager, Win+U), osk.exe (On-Screen Keyboard), Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe. These programs may be replaced with a command shell (cmd.exe) or backdoor, or the Image File Execution Options (IFEO) debugger key can be used to trigger an arbitrary program instead of the accessibility feature, providing a SYSTEM shell at the logon screen without credentials.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.008 Accessibility Features
- Canonical reference
- https://attack.mitre.org/techniques/T1546/008/
KQL Detection Query
let AccessibilityBinaries = dynamic([
"sethc.exe", "utilman.exe", "osk.exe", "Magnify.exe",
"Narrator.exe", "DisplaySwitch.exe", "AtBroker.exe"
]);
let AccessibilityAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (AccessibilityBinaries)
| where InitiatingProcessFileName !in~ ("winlogon.exe", "svchost.exe")
or AccountName == "SYSTEM" and InitiatingProcessFileName =~ "winlogon.exe"
| extend SuspiciousParent = InitiatingProcessFileName !in~ ("winlogon.exe", "svchost.exe", "explorer.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, SuspiciousParent;
let IFEORegistry = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Image File Execution Options"
| where RegistryValueName =~ "Debugger"
| where RegistryKey has_any (AccessibilityBinaries)
| project RegistryTime=Timestamp, DeviceName, AccountName, RegistryKey,
RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine;
let BinaryReplacement = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName in~ (AccessibilityBinaries)
| where FolderPath has_any ("C:\\Windows\\System32\\", "C:\\Windows\\SysWOW64\\")
| where ActionType in ("FileCreated", "FileModified")
| project FileTime=Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
InitiatingProcessFileName;
union AccessibilityAbuse, (IFEORegistry | extend FileTime=RegistryTime),
(BinaryReplacement | extend RegistryTime=FileTime)
| sort by Timestamp desc, RegistryTime desc, FileTime descDetects accessibility feature abuse through three detection vectors: (1) accessibility binaries spawning unexpected processes or running under unexpected parent processes, (2) Image File Execution Options (IFEO) Debugger key being set for accessibility binaries — the most common modern technique that doesn't require replacing system files, (3) direct file modifications to accessibility binaries in System32. The IFEO approach is highest fidelity as it persists as a registry entry that routes accessibility binary execution to an arbitrary payload.
Data Sources
Required Tables
False Positives & Tuning
- Accessibility software testing by QA teams that invoke accessibility features as part of test automation
- Assistive technology configuration that legitimately modifies accessibility feature behavior for users with disabilities
- Remote desktop sessions where accessibility features are launched by the remote desktop client
- Security testing and penetration testing exercises that specifically test this known technique
Other platforms for T1546.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set IFEO Debugger on sethc.exe (Sticky Keys Backdoor)
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe. Security Event ID 4657 if registry auditing is enabled. Process creation for reg.exe.
- Test 2Set IFEO Debugger on utilman.exe (Utility Manager Backdoor)
Expected signal: Sysmon Event ID 13: TargetObject contains Image File Execution Options\utilman.exe\Debugger. Process creation for reg.exe. The combination of IFEO + accessibility binary + Debugger value is a critical detection signal.
- Test 3Scan for Existing Accessibility Feature Backdoors
Expected signal: Process creation for powershell.exe with the enumeration script. Registry read events (Sysmon 12 if monitoring access events) for Image File Execution Options keys. This command is detection-safe — read-only, no modifications.
References (5)
- https://attack.mitre.org/techniques/T1546/008/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md
- https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack.html
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation
Unlock Pro Content
Get the full detection package for T1546.008 including response playbook, investigation guide, and atomic red team tests.