Backdooring the Login Screen
Persistence techniques to backdoor the login screen
In this blog post, we will take a look at persistence techniques where an adversary can backdoor the login screen to maintain Administrator access. For the practical demonstration, we will refer a Tryhackme room called "Windows Local Peristence"
Event Triggered Execution - T1546.008
According to MITRE ATT&CK, Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
Two common accessibility programs are C:\Windows\System32\sethc.exe
, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe
, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. In this blog, we will take a look at both the techniques in detail.
Attack Scenario
Before we move further, we will take a look at the attack scenario. We will act as an adversary who've gained Administrator access. Here is visual representation.
As mentioned we will refer Tryhackme room called "Windows Local Peristence". Here are the administrator user credentials.
Login via RDP using those credentials
Sticky Keys - Sethc.exe
The sethc.exe is an executable file on your computer's hard drive. This file contains machine code. If you start the software Microsoft® Windows® Operating System on your PC, the commands contained in sethc.exe will be executed on your PC. For this purpose, the file is loaded into the main memory (RAM) and runs there as a Windows NT High Contrast Invocation process.
This process is run when the shift is pressed 5 times in sequence, to invoke the StickyKeys configuration window.
Windows will execute the binary in C:\\Windows\\System32\\sethc.exe
. If we are able to replace such binary for a payload of our preference, we can then trigger it with the shortcut. Interestingly, we can even do this from the login screen before inputting any credentials.
A straightforward way to backdoor the login screen consists of replacing sethc.exe
with a copy of cmd.exe
. That way, we can spawn a console using the sticky keys shortcut, even from the logging screen.
First login with the credentials provided above, to overwrite sethc.exe, we first need to take ownership of the file and grant our current user permission to modify it. Only then will we be able to replace it with a copy of cmd.exe. We can do so with the following commands.
Next is to lock the user account.
After this, press the SHIFT button five time and you will get a cmd.exe session running as a NT Authority User.
Utliman.exe
Utilman is a built-in Windows application used to provide Ease of Access options during the lock screen.
When we click the ease of access button on the login screen, it executesC:\\Windows\\System32\\Utilman.exe
with SYSTEM privileges. If we replace it with a copy of cmd.exe
, we can bypass the login screen again.
To replace utilman.exe
, we do a similar process to what we did with sethc.exe
To trigger our terminal, we will lock our screen from the start button.
And finally, proceed to click on the "Ease of Access" button. Since we replaced utilman.exe with a cmd.exe copy, we will get a command prompt with SYSTEM privileges.
We got a shell as NT Authority user.
MITRE ATT&CK Analysis
Adversary Groups and Frameworks
Here are the list of APT and threat actor groups that leverage this techniques of privilege escalation and persistent.
APT29
APT29 used sticky-keys to obtain unauthenticated, privileged console access.
APT3
APT3 replaces the Sticky Keys binary C:\Windows\System32\sethc.exe
for persistence.
Axiom
Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.
Empire C2
Powershell Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.
Mitigations
These are the best possible mitigation tactics
Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Identify and block potentially malicious software executed through accessibility features functionality by using application control tools, like Windows Defender Application Control, AppLocker or Software Restriction Policies where appropriate.
Detection
Windows Registry Monitoring
Monitor Registry keys within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Last updated