title: Accessibility Features (T1546.008)
id: df00tech-t1546-008
status: experimental
description: "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows has accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). Adversaries may replace or add code to these programs: sethc.exe (Sticky Keys, invoked with Shift x5), utilman.exe (Utility Manager, Win+U), osk.exe (On-Screen Keyboard), Magnify.exe, Narrator.exe, DisplaySwitch.exe, AtBroker.exe. These programs may be replaced with a command shell (cmd.exe) or backdoor, or the Image File Execution Options (IFEO) debugger key can be used to trigger an arbitrary program instead of the accessibility feature, providing a SYSTEM shell at the logon screen without credentials."
references:
  - https://attack.mitre.org/techniques/T1546/008/
  - https://df00tech.com/detections/T1546.008
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Accessibility software testing by QA teams that invoke accessibility features as part of test automation
  - Assistive technology configuration that legitimately modifies accessibility feature behavior for users with disabilities
  - Remote desktop sessions where accessibility features are launched by the remote desktop client
  - Security testing and penetration testing exercises that specifically test this known technique
level: critical