Skip to content

Accessibility Features

Jump to bottom
Veramine edited this page Jul 7, 2017 · 6 revisions

Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. More background on this attacker tactic available at https://attack.mitre.org/wiki/Technique/T1015.

Veramine's detection engine detects instances where an application has changed the accessibility features in a manner that looks like the "Sticky Keys" style attack. Here is an example detection:

Clone this wiki locally