Which SIEM platforms have a T1546.008 detection rule?

df00tech provides T1546.008 (Accessibility Features) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1546.008 detection?

The T1546.008 detection is rated critical severity with high confidence.

What are common false positives for T1546.008?

Common false positives for T1546.008 include: Accessibility software testing by QA teams that invoke accessibility features as part of test automation; Assistive technology configuration that legitimately modifies accessibility feature behavior for users with disabilities; Remote desktop sessions where accessibility features are launched by the remote desktop client.

T1546.008 Splunk · SPL

Detect Accessibility Features in Splunk

Q: What data sources are required to detect Accessibility Features (T1546.008)?

Detecting Accessibility Features requires the following data sources: Windows Registry: Registry Key Modification, Process: Process Creation, File: File Creation, File: File Modification, Microsoft Defender for Endpoint.

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows has accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). Adversaries may replace or add code to these programs: sethc.exe (Sticky Keys, invoked with Shift x5), utilman.exe (Utility Manager, Win+U), osk.exe (On-Screen Keyboard), Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe. These programs may be replaced with a command shell (cmd.exe) or backdoor, or the Image File Execution Options (IFEO) debugger key can be used to trigger an arbitrary program instead of the accessibility feature, providing a SYSTEM shell at the logon screen without credentials.

MITRE ATT&CK

Tactic: Privilege Escalation Persistence
Technique: T1546 Event Triggered Execution
Sub-technique: T1546.008 Accessibility Features
Canonical reference: https://attack.mitre.org/techniques/T1546/008/

SPL Detection Query

Splunk (SPL)

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval AccessBin=if(
    match(lower(coalesce(Image, NewProcessName, "")), "(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe"),
    1, 0
  )
| eval IFEOReg=if(
    (EventCode=12 OR EventCode=13)
    AND match(TargetObject, "Image File Execution Options")
    AND match(lower(TargetObject), "(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe")
    AND match(lower(TargetObject), "debugger"),
    1, 0
  )
| eval SysFileMod=if(
    EventCode=11
    AND match(lower(coalesce(TargetFilename, "")), "(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe")
    AND match(TargetFilename, "(?i)(system32|syswow64)"),
    1, 0
  )
| where AccessBin=1 OR IFEOReg=1 OR SysFileMod=1
| eval DetectionType=case(
    IFEOReg=1, "IFEO_DEBUGGER_SET",
    SysFileMod=1, "SYSTEM_FILE_MODIFIED",
    AccessBin=1, "ACCESSIBILITY_BINARY_LAUNCHED",
    1=1, "UNKNOWN"
  )
| eval Severity=case(
    DetectionType="IFEO_DEBUGGER_SET", "CRITICAL",
    DetectionType="SYSTEM_FILE_MODIFIED", "CRITICAL",
    DetectionType="ACCESSIBILITY_BINARY_LAUNCHED", "HIGH",
    1=1, "MEDIUM"
  )
| table _time, host, User, EventCode, DetectionType, Severity, TargetObject, Details, Image, CommandLine
| sort - _time

critical severity high confidence

Detects all three accessibility feature abuse vectors: IFEO Debugger key set for accessibility binaries (Sysmon 12/13), direct system file modifications to accessibility binaries (Sysmon 11), and accessibility binary process launches (Sysmon 1). IFEO Debugger modification is rated CRITICAL as it's the primary modern technique — no file replacement needed, just a registry key that redirects execution of any accessibility binary to an arbitrary payload including at the pre-authentication logon screen.

Data Sources

Windows Registry: Registry Key ModificationProcess: Process CreationFile: File ModificationSysmon Event IDs 1, 11, 12, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

Accessibility software testing
Assistive technology configuration for users with disabilities
Remote desktop accessibility feature invocations
Security testing exercises

Download portable Sigma rule (.yml)

Other platforms for T1546.008

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Set IFEO Debugger on sethc.exe (Sticky Keys Backdoor)
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe. Security Event ID 4657 if registry auditing is enabled. Process creation for reg.exe.
Test 2Set IFEO Debugger on utilman.exe (Utility Manager Backdoor)
Expected signal: Sysmon Event ID 13: TargetObject contains Image File Execution Options\utilman.exe\Debugger. Process creation for reg.exe. The combination of IFEO + accessibility binary + Debugger value is a critical detection signal.
Test 3Scan for Existing Accessibility Feature Backdoors
Expected signal: Process creation for powershell.exe with the enumeration script. Registry read events (Sysmon 12 if monitoring access events) for Image File Execution Options keys. This command is detection-safe — read-only, no modifications.

Last updated: 2026-04-20 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1546.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Accessibility Features in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1546.008

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1546.008

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox