← Back to Explore
T1546.008
Accessibility Features
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two common accessibility programs are <code>C:\Windows\System32\sethc.exe...
Windows
8
Detections
3
Sources
6
Threat Actors
BY SOURCE
6sigma1elastic1splunk_escu
PROCEDURES (3)
Process Creation Monitoring6 detections
Auto-extracted: 6 detections for process creation monitoring
Authentication Monitoring1 detections
Auto-extracted: 1 detections for authentication monitoring
Registry Monitoring1 detections
Auto-extracted: 1 detections for registry monitoring
THREAT ACTORS (6)
DETECTIONS (8)
Overwriting Accessibility Binaries
splunk_escu
Persistence Via Sticky Key Backdoor
sigmacritical
Potential Modification of Accessibility Binaries
elastichigh
Potential Privilege Escalation Using Symlink Between Osk and Cmd
sigmahigh
Potential Suspicious Activity Using SeCEdit
sigmamedium
Sticky Key Like Backdoor Execution
sigmacritical
Sticky Key Like Backdoor Usage - Registry
sigmacritical
Suspicious Debugger Registration Cmdline
sigmahigh