Sticky Keys Persistence

by Vince
in Blog
Hits: 583

There's a function in Windows, Accessibility Options, which is available for the visually impaired.  Basically, at the login prompt, we can hit the Shift key five times and that will activate sethc.exe.  But let's say we want to abuse this prelogin function, we could copy cmd.exe in its place which would launch a command prompt, as SYSTEM, prior to login.  From there, we would create an account or perform any other privilege command prompt function.  

As you can imagine from the title of this post, this abuse would be considered a form of persistence.  Before I continue on, there are two techniques, the first which includes the next five images -- does not work on Windows 10.  The second, in the last three images does work.  Truth be told, I was documenting successes and failures for a particular engagement for the sake of testing detection mechanisms and it's worth knowing.

We need to take ownership of the file:

Next, we need to modify access control:

We want to make a backup copy of the original file and then we want to copy cmd.exe to sethc.exe.  That's where things go wrong in Windows 10.

I launch a command prompt as system:

And I attempt to copy once more but it fails once more.

A technique that works -- first we need to disable endpoint protection, in this case, Defender:

Next, we need to tie cmd.exe to the debugger function for sethc.exe:

At the login prompt, when we hit the shift key five times:

Obviously, this is a much easier technique than the first but there are pros and cons for both.  

As a side note, the first technique is something that I would use if I got locked out a workstation.  You can crash the system three times, enter recovery and copy cmd.exe to sethc.exe without all the extra ownership / access control steps.