Detect Accessibility Features in Sumo Logic CSE
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows has accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). Adversaries may replace or add code to these programs: sethc.exe (Sticky Keys, invoked with Shift x5), utilman.exe (Utility Manager, Win+U), osk.exe (On-Screen Keyboard), Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe. These programs may be replaced with a command shell (cmd.exe) or backdoor, or the Image File Execution Options (IFEO) debugger key can be used to trigger an arbitrary program instead of the accessibility feature, providing a SYSTEM shell at the logon screen without credentials.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.008 Accessibility Features
- Canonical reference
- https://attack.mitre.org/techniques/T1546/008/
Sumo Detection Query
_sourceCategory=*windows*
| where (%"sourcetype" = "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR %"sourcetype" = "WinEventLog:Security")
| parse "EventID=*" as EventID nodrop
| parse "Image=*" as Image nodrop
| parse "ParentImage=*" as ParentImage nodrop
| parse "CommandLine=*" as CommandLine nodrop
| parse "TargetObject=*" as TargetObject nodrop
| parse "TargetFilename=*" as TargetFilename nodrop
| parse "Computer=*" as Computer nodrop
| parse "User=*" as User nodrop
| parse "Details=*" as RegistryDetails nodrop
| where (
(
matches(toLowerCase(Image), "*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker).exe*") AND
!matches(toLowerCase(ParentImage), "*(winlogon|svchost|explorer).exe*")
) OR
(
EventID in ("12", "13") AND
matches(TargetObject, "*Image File Execution Options*") AND
matches(toLowerCase(TargetObject), "*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker).exe*") AND
matches(toLowerCase(TargetObject), "*debugger*")
) OR
(
EventID = "11" AND
matches(toLowerCase(TargetFilename), "*(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker).exe*") AND
matches(toLowerCase(TargetFilename), "*(system32|syswow64)*")
)
)
| eval DetectionType = if(matches(toLowerCase(TargetObject), "*debugger*"), "IFEO_DEBUGGER_SET",
if(EventID = "11", "SYSTEM_FILE_MODIFIED", "ACCESSIBILITY_BINARY_LAUNCHED"))
| eval Severity = if(DetectionType = "IFEO_DEBUGGER_SET", "CRITICAL",
if(DetectionType = "SYSTEM_FILE_MODIFIED", "CRITICAL", "HIGH"))
| fields _messageTime, Computer, User, EventID, DetectionType, Severity, TargetObject, TargetFilename, Image, CommandLine, RegistryDetails
| sort by _messageTime descSumo Logic detection for T1546.008 using Sysmon operational and Windows Security events. Covers three detection vectors: Sysmon Event 1 (Process Create) for accessibility binary execution with non-standard parent, Sysmon Events 12/13 (Registry create/set) for IFEO Debugger key manipulation on accessibility binaries, and Sysmon Event 11 (File Create) for accessibility binary replacement in system directories. Classification and severity fields are derived via eval for alert triage.
Data Sources
Required Tables
False Positives & Tuning
- Windows servicing stack updates using TrustedInstaller.exe replacing accessibility binaries — filter by checking if parent process is TrustedInstaller.exe and correlating event timing with Windows Update scheduled windows
- Vendor-specific assistive technology software that legitimately replaces or wraps accessibility features — maintain an approved software inventory and suppress based on known-good hash values via Sumo Logic lookup tables
- IT helpdesk remote session tools (TeamViewer, AnyDesk) that interact with accessibility features for remote support — identify by correlating with ServiceDesk ticket activity and verifying process digital signature chain
Other platforms for T1546.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set IFEO Debugger on sethc.exe (Sticky Keys Backdoor)
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger, Details=C:\Windows\System32\cmd.exe. Security Event ID 4657 if registry auditing is enabled. Process creation for reg.exe.
- Test 2Set IFEO Debugger on utilman.exe (Utility Manager Backdoor)
Expected signal: Sysmon Event ID 13: TargetObject contains Image File Execution Options\utilman.exe\Debugger. Process creation for reg.exe. The combination of IFEO + accessibility binary + Debugger value is a critical detection signal.
- Test 3Scan for Existing Accessibility Feature Backdoors
Expected signal: Process creation for powershell.exe with the enumeration script. Registry read events (Sysmon 12 if monitoring access events) for Image File Execution Options keys. This command is detection-safe — read-only, no modifications.
References (5)
- https://attack.mitre.org/techniques/T1546/008/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md
- https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack.html
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation
Unlock Pro Content
Get the full detection package for T1546.008 including response playbook, investigation guide, and atomic red team tests.