Skip to content

Hide Navigation Hide TOC

Persistence Via Sticky Key Backdoor (1070db9a-3e5d-412e-8e7b-7183b616e1b3)

By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.

Cluster A Galaxy A Cluster B Galaxy B Level
Persistence Via Sticky Key Backdoor (1070db9a-3e5d-412e-8e7b-7183b616e1b3) Sigma-Rules Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern 1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern 2