An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of
powershell.exe launched directly from the logon process,
winlogon.exe. It should be used in tandem with CAR-2014-11-003, which detects the accessibility programs in the command line.
|Technique||Tactic||Level of Coverage|
|Accessibility Features||Privilege Escalation, Execution, Persistence||Moderate|
Look for instances of processes where the parent executable is winlogon.exe and the child is an instance of a command prompt.
processes = search Process:Create winlogon_cmd = filter processes where (parent_exe == "winlogon.exe" and exe == "cmd.exe") output winlogon_cmd
Several accessibility programs can be run using the Ease of Access center
utilman.exeis the Ease of Access menu
osk.exeruns the On-Screen Keyboard
narrator.exereads screen text over audio
magnify.exemagnifies the view of the screen near the cursor