Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1546-event-triggered-execution

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects attempts to create a sticky key backdoor by replacing the legitimate sethc.exe with cmd.exe, enabling command prompt access from the login screen.

Strategy

This rule monitors Windows command line activity for operations that replace the Windows Sticky Keys executable (sethc.exe) with the command prompt (cmd.exe). This technique, often referred to as a “sticky key backdoor”, allows attackers to gain SYSTEM-level command prompt access directly from the Windows login screen without authentication by pressing the Shift key five times. The sticky key accessibility feature is designed to help users with physical disabilities, but when compromised, it becomes a powerful persistence mechanism that allows attackers to regain privileged access even after credentials are changed. This method is particularly dangerous because it operates at the login screen, before authentication, and with the highest system privileges.

Triage & Response

• Verify the integrity of the sethc.exe file on the affected {{host}} system by checking its digital signature and comparing its hash with a known good version.
• Identify which user or process executed the command to replace sethc.exe.
• Determine when the modification occurred and review other activities performed by the same user or process.
• Examine authentication logs to identify potential unauthorized access that occurred after the backdoor installation.