Persistence Via Sticky Key Backdoor

About the rule

Rule Type

Standard

Rule Description

The Sticky Key backdoor is a well-known persistence technique where attackers replace sethc.exe (the Sticky Keys accessibility feature) with cmd.exe or another malicious executable. This allows them to spawn a command prompt with SYSTEM privileges by pressing Shift five times on the Windows login screen—without needing to authenticate. Once implemented, this method enables persistent, unauthenticated access to a system, often surviving reboots and remaining undetected unless integrity checks are in place. It's commonly used in targeted attacks or post-exploitation scenarios to maintain stealthy backdoor access.

Severity

Critical

Rule journey

Attack chain scenario

Initial Access → Privilege Escalation → Persistence → Execution

Impact

• Persistent Backdoor Access
• Privilege Escalation
• Security Control Bypass
• System Compromise

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Persistence: Event Triggered Execution - Accessibility Features (T1546.008), Privilege Escalation: Event Triggered Execution - Accessibility Features (T1546.008)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
PR.PS-01: Configuration management practices are established and applied.

By triggering on suspicious replacement of accessibility features like sethc.exe, this rule helps detect persistence mechanisms that hijack system binaries to maintain unauthorized access with elevated privileges.

Author

Sreeman

Future actions

Known False Positives

This rule may be triggered during legitimate system maintenance or forensic activities.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Determine if the modification of sethc.exe (or similar accessibility executables) is legitimate or the result of malicious activity.
• Analysis: Inspect the replaced binary to confirm whether it is a renamed cmd.exe or another malicious executable. Review recent changes to system files and check for other signs of persistence.
• Response: Immediately restore the original sethc.exe from a trusted source. Disable the malicious backdoor, terminate associated processes, and review user access logs for unauthorized logins.
• Enable FIM: Monitor critical system binaries for unexpected changes using file integrity monitoring (FIM).

Mitigation