Windows Persistence: Accessibility Features
Today we are going to shed some light on a very sticky persistence method. It is so sticky that it has been there for a long time and it is here to stick. This was the last of my puns. You might have guessed it until now. It is a Sticky Keys. Let’s dive in.
Table of Content
- Accessibility Features
- Configurations Used Practical
- Enable RDP
- Metasploit: sticky_keys
- Empire: debugger
- Empire: Enable_rdp
- Logon Backdoor
- PowerShell: stickeykeys.ps1
Windows Accessibility Features are a set of tools that are available in the Windows logon screen (like Sticky Keys). These are designed to be triggered through the pre-configured combination of keys to assist the users. These Windows features became famous when the APT group abused it for backdooring target systems. You need to have administrative privileges to replace the genuine Windows binary of the tool (‘sethc.exe’ or ‘narrator.exe’, ‘magnify.exe’, etc.) with a cmd.exe.
Some of the Accessibility features and their trigger options and location are:
Accessibility Shortcut Keys
Trigger: Shift 5 times
Trigger: Windows key + U
Trigger: Click on On-screen keyboard button
Trigger: Windows Key + =
Trigger: Windows Key + Enter
Trigger: Windows Key + P
Manages switching of apps between desktop
Trigger: Have osk.exe, Magnify.exe, or Narrator.exe open the locked computer. AtBroker.exe will be executed upon locking and unlocking
The Assistive Features or as Microsoft likes to call them Assistive Technology (ATs). All of these are registered in the registry under the following registry location:
Configurations Used Practical
- Attacker Machine
- OS: Kali Linux
- IP Address: 192.168.1.112
- Target Machine
- OS: Windows 10
- IP Address: 192.168.1.106
Let’s start with enabling RDP on the Target Machine. As most of the attacks that we are going to perform will be targeted on the Accessibility Binaries that are accessible on the login screen when we take the RDP of the system. They are accessible on other locations when we have the access of the machine physically but for the remote-based attack, we need the RDP enabled. This can be done using the built-in script in meterpreter. It is based on Carlos Perez’s getgui script which enables the RDP and creates a user account to log in. Here we are just enabling the RDP with the -e parameter.
run getgui -e
Metasploit has a post-exploitation module that can create a persistence method to exploit the target by making changes in the Registry. This requires the SYSTEM privilege. So first attack the system. Get a meterpreter session on the target machine then escalate the privileges on the machine and then use this particular post-exploitation module to create a persistence backdoor. Usage of this module is pretty simple. You select the module, set the session if and run the module. It adds makes changes in the registry and then we can exploit the machine by pressing Shift key 5 times and triggering the Sticky Key Accessibility Binary which is now running a Command Prompt with elevated privileges.
use post/windows/manage/sticky_keys set session 1 exploit
After running the post-exploitation module we can check the working by connecting the target machine using rdesktop. We were greeted by the Login Panel. We pressed the Shift key and instead of the sticky key prompt we got the Command prompt. We can see in the image given below that the command prompt that we got is the one with Administrative Rights.
This module allows the attacker to set the “Image File Execution Options” which is also known as the debugger, Hence the name. It does so for many executables that are accessible before logging in on the RDP connection. If used with the default setting it will trigger a command prompt with SYSTEM privileges through the RDP without logging on the machine. This module can be configured to target a different binary by providing the path to the Binary option in the module. We also need to set a Listener for the module.
Currently, the trigger options that are available in the module are:
- persistence/debugger/sethc – It will target the Sticky Key binary.
- persistence/debugger/utilman – It will target the Utility Manager binary.
- persistence/debugger/magnify – It will target the Magnifier binary.
- persistence/debugger/narrator – It will target the Narrator binary.
- persistence/debugger/osk – It will target the On-Screen Keyboard binary.
We decide to use the module with the default permissions. We can see that the debugger module has sethc.exe set to cmd.exe.
usemodule persistence/misc/debugger execute
Now we need to enable the RDP on the target machine so we can access the machine remotely from our attacker machine. We will be using the enable_rdp module of the PowerShell Empire.
usemodule management/enable_rdp execute
After enabling the remote desktop on the target machine, we tried to access it through rdesktop. After getting the login panel, we again pressed the Shift key 5 times as we need to trigger the sticky key binary. As soon as we trigger the setc.exe we see that we get the command prompt with administrative rights instead.
While researching for other tools that attack the Accessibility Features, I found this executable that pretty much sums up the practical that we were doing remotely with Kali Linux. It is a pretty simple executable that can be used if you have the physical access of the target system. It provides a simple menu as shown in the image given below. We select the first option that sets the backdoor and it does its job in a matter of seconds.
It says that the operation has been completed successfully. So, let’s give it a try. For the purposes of the practical, we locked the system and try to trigger the sticky key binary by pressing the shift key 5 times. As we can see that we have the command prompt with administrative privileges as shown in the image given below.
Now that we have explored the remote modules from Metasploit and Empire and the executable, its time to discover the PowerShell script for the same. It is a very simple script that can be download from the link given below. To attack the target machine, we need permission to run scripts on the machine. After getting permission we import the PowerShell script. Then simply running the script as shown in the image will add the backdoor.
Import-Module .\stickykeys.ps1 .\stickykeys.ps1
Time to test the working. Since we have added the backdoor it must have replaced the sethc.exe with the cmd.exe. To test it we will press the shift key 5 times as we did in our previous practicals and as seen in the image given below we have the cmd with administrative access.
This tool can also remove the backdoor and fix the problem but it never solves it as Accessibility features are always there to exploit again.
- Delete or replace the affected file
- exe /scannow
- Remove the affected registry entry
- Restrict local administrative access
- Enable Full Disk Encryption
- Network Level Authentication for RDP Connection
- Endpoint monitoring
- Netflow analysis
Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn