The Windows operating system provides various accessibility features such as the On-screen keyboard, Narrator, Magnifier, Speech recognition, and so on. These features are mainly designed for people with special needs. These accessibility programs can be launched without even logging into the system. For example, many of these accessibility programs can be accessed by pressing the Windows + U key combination, which launches C:WindowsSystem32utilman.exe, or you can enable sticky keys by pressing the shift key five times, which will launch the program C:WindowsSystem32sethc.exe. An attacker can change the way these accessibility programs (such as sethc.exe and utilman.exe) are launched to execute a program of their choice, or they can use cmd.exe with elevated privileges (privilege escalation).
Adversaries use the sticky keys (sethc.exe) feature to gain unauthenticated access via Remote Desktop (RDP). In the case of the Hikit Rootkit, (https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html) the legitimate sethc.exe program was replaced with cmd.exe. This allowed the adversaries to access the command prompt with SYSTEM privileges over RDP just by pressing the shift key five times. While in the older versions of Windows it was possible to replace the accessibility program with another program, the newer versions of Windows enforces various restrictions such as the replaced binary must reside in %systemdir%, it needs to be digitally signed for x64 systems, and it must be protected by Windows File or Resource Protection (WFP/WRP). These restrictions make it hard for the adversaries to replace the legitimate programs (such as sethc.exe). To avoid replacing the files, adversaries make use of the Image File Execution Options (covered in the previous section), as shown in the following code. The following registry entry sets cmd.exe as the debugger for sethc.exe; now, an adversary can use RDP login and press the Shift key five times to get access to the System-level command shell. Using this shell, an adversary can execute any arbitrary commands even before authentication. In the same manner, a malicious backdoor program can be executed by setting it as a debugger for sethc.exe or utilman.exe:
REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe" /t REG_SZ /v Debugger /d "C:windowssystem32cmd.exe" /f
In the following example, when a malware sample (mets.exe) is executed, it runs the following command, which modifies the firewall rules/registry to allow RDP connection and then adds a registry value to set the task manager (taskmgr.exe) as the debugger for sethc.exe. This allows an adversary to access taskmgr.exe over RDP (with SYSTEM privileges). Using this technique, an adversary can kill a process or start/stop a service over RDP without even logging in to the system:
[CreateProcess] mets.exe:564 > "cmd /c netsh firewall add portopening tcp 3389 all & reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f & REG ADD HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe /v Debugger /t REG_SZ /d %windir%system32 askmgr.exe /f"
This type of attack is slightly difficult to detect, because an attacker either replaces the accessibility programs with legitimate programs or makes use of legitimate programs. However, if you suspect that the accessibility program (sethc.exe) has been replaced with legitimate files, such as cmd.exe or taskmgr.exe, then you can compare the hash values of the replaced accessibility program with the hash values of the legitimate files (cmd.exe or taskmgr.exe) to look for a match. A hash value match is an indication that the original sethc.exe file was replaced. You can also inspect the Image File Execution Options registry entry for any suspicious modifications.