An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe. It should be used in tandem with CAR-2014-11-003, which detects the accessibility programs in the command line.

ATT&CK Detection

Technique Tactic Level of Coverage
Accessibility Features Privilege Escalation, Execution, Persistence Moderate

Pseudocode

Look for instances of processes where the parent executable is winlogon.exe and the child is an instance of a command prompt.

processes = search Process:Create
winlogon_cmd = filter processes where (parent_exe == "winlogon.exe" and exe == "cmd.exe")
output winlogon_cmd

Additional Notes:

Several accessibility programs can be run using the Ease of Access center

  • sethc.exe handles StickyKeys
  • utilman.exe is the Ease of Access menu
  • osk.exe runs the On-Screen Keyboard
  • narrator.exe reads screen text over audio
  • magnify.exe magnifies the view of the screen near the cursor

Data Model References

|Object|Action|Field| |—|—|—| | process | create | exe | | process | create | parent_exe |