{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/accessibility_features/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["persistence","privilege_escalation","accessibility_features"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eWindows accessibility features, such as Narrator, Magnifier, and On-Screen Keyboard, are designed to assist users with disabilities and can be launched from the login screen using specific key combinations. Attackers can abuse this functionality by replacing legitimate accessibility binaries with malicious executables, allowing them to execute arbitrary commands with SYSTEM privileges before a user logs in. This technique is often used for persistence, privilege escalation, and establishing backdoors. The detection focuses on identifying processes launched by accessibility features with unexpected original file names, which may indicate malicious replacement or modification. Successful exploitation allows an attacker to bypass standard login procedures and gain unauthorized access to the system with elevated privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via compromised credentials or remote access).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the accessibility binaries (e.g., \u003ccode\u003eC:\\\\Windows\\\\System32\\\\sethc.exe\u003c/code\u003e, \u003ccode\u003eC:\\\\Windows\\\\System32\\\\utilman.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker replaces a legitimate accessibility binary with a malicious executable (e.g., a reverse shell or command interpreter) using tools like \u003ccode\u003etakeown\u003c/code\u003e and \u003ccode\u003eicacls\u003c/code\u003e to modify file permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the system to launch the malicious executable when the corresponding accessibility feature is invoked from the login screen.\u003c/li\u003e\n\u003cli\u003eThe system is rebooted or locked, presenting the login screen.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes the replaced accessibility feature using the associated key combination (e.g., pressing Shift five times for Sticky Keys/sethc.exe).\u003c/li\u003e\n\u003cli\u003eThe malicious executable is launched with SYSTEM privileges, providing the attacker with a command prompt or remote access shell.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as creating new accounts, installing malware, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique allows attackers to gain persistent, elevated access to the compromised system. The attacker can bypass normal login procedures and execute commands with SYSTEM privileges. This can lead to complete system compromise, data theft, and the installation of persistent backdoors. The scope can range from a single workstation to multiple systems within an organization if the attacker is able to automate the replacement process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Modification of Accessibility Binaries\u0026rdquo; Sigma rule to your SIEM to detect unauthorized modifications of accessibility binaries.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for processes spawned by \u003ccode\u003eUtilman.exe\u003c/code\u003e or \u003ccode\u003ewinlogon.exe\u003c/code\u003e with a user context of \u0026ldquo;SYSTEM\u0026rdquo; and an unexpected \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e as defined in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls on accessibility binaries in \u003ccode\u003eC:\\\\Windows\\\\System32\\\\\u003c/code\u003e to prevent unauthorized modification.\u003c/li\u003e\n\u003cli\u003eRegularly audit and verify the integrity of accessibility binaries to detect any unauthorized changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:39:57Z","date_published":"2026-05-12T18:39:57Z","id":"https://feed.craftedsignal.io/briefs/2026-05-accessibility-binary-modification/","summary":"Adversaries may modify or replace Windows accessibility binaries (e.g., sethc.exe, utilman.exe) to execute malicious commands or establish persistence mechanisms before a user logs in, potentially leading to elevated privileges and unauthorized access.","title":"Potential Modification of Accessibility Binaries for Persistence","url":"https://feed.craftedsignal.io/briefs/2026-05-accessibility-binary-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Accessibility_features","version":"https://jsonfeed.org/version/1.1"}