Sticky Key Like Backdoor Execution

About the rule

Rule Type

Standard

Rule Description

The Sticky Key-like backdoor execution technique involves replacing or abusing Windows accessibility executables like sethc.exe, utilman.exe, or others that can be launched pre-logon by pressing specific key combinations (e.g., Shift key five times). Attackers exploit this by replacing the original binary with cmd.exe or a malicious payload. Once replaced, triggering the accessibility shortcut opens a command prompt or backdoor with system-level privileges—bypassing authentication. This method is particularly stealthy, often used for maintaining persistent, privileged access on compromised systems, especially in environments lacking strict file integrity monitoring.

Severity

Critical

Rule journey

Attack chain scenario

Initial Access → Privilege Escalation → File Manipulation → Accessibility Feature Hijack (e.g., replacing sethc.exe with cmd.exe) → Local Persistence → Unauthenticated Privileged Access

Impact

• Unauthorized SYSTEM-level access
• Persistence
• Credential theft
• Lateral movement

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Persistence: Event Triggered Execution - Accessibility Features (T1546.008), Privilege Escalation: Event Triggered Execution - Accessibility Features (T1546.008)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

PR.AC-01: Identities and credentials are issued, managed, and used securely.
PR.PS-01: Configuration management practices are established and applied.

When this rule is triggered, you are alerted to suspicious execution of system accessibility features like Sticky Keys (sethc.exe) that may have been replaced with a backdoor such as cmd.exe.

Author

Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community

Future actions

Known False Positives

This rule may be triggered by legitimate system administrators or power users who have intentionally modified accessibility featur for troubleshooting, automation, or recovery purposes in isolated or non-production environments.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Determine if the event involves unauthorized replacement of accessibility executables (e.g., sethc.exe, utilman.exe) with command-line tools like cmd.exe. Review endpoint and user activity logs for context.
• Analysis:Assess whether the change was part of a sanctioned administrative task, penetration test, or indicative of malicious persistence.
• Response: Isolate the host, restore the original system binaries, reset credentials, and scan for further persistence mechanisms.
• Monitor system32 directory: Monitor and restrict write access to system32 directory.

Mitigation