#OSK EXE REPLACEMENT SOFTWARE#
Identify and block potentially malicious software executed through accessibility features functionality by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Īdversaries can replace accessibility features binaries with alternate binaries to execute this technique. įox Kitten has used sticky keys to launch a command prompt. Įmpire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe. ĭeep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions. Īxiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence. ĪPT41 leveraged sticky keys to establish persistence. ĪPT3 replaces the Sticky Keys binary C:\Windows\System32\sethc.exe for persistence.
An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.