Attack Chain

1. The attacker gains initial access to the system through unspecified means.
2. The attacker escalates privileges to allow registry modifications.
3. The attacker navigates to the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key.
4. The attacker creates or modifies a subkey for a specific executable (e.g., taskmgr.exe, cmd.exe).
5. The attacker creates or modifies a value named Debugger within the subkey.
6. The attacker sets the Debugger value to HotKey Disabled, effectively disabling hotkeys for the target application.
7. The analyst attempts to use hotkeys for incident response and finds them non-functional.
8. The attacker maintains persistence and complicates incident response efforts.

Impact

Disabling Windows application hotkeys can severely hinder incident response capabilities. By rendering tools like Task Manager and Command Prompt inaccessible via hotkeys, analysts are forced to use alternative, slower methods. This can delay critical tasks such as identifying and terminating malicious processes, giving the attacker more time to operate undetected. The impact can affect any organization relying on standard Windows tools for security monitoring and incident handling.

Recommendation

• Enable Sysmon EventID 13 logging to detect registry modifications as described in the overview.
• Deploy the Sigma rule Detect Windows App Hotkey Disablement to your SIEM to identify this specific registry modification.
• Investigate any alerts generated by the Sigma rule, focusing on the Registry.dest field to identify affected systems.
• Review systems identified with disabled hotkeys for other signs of compromise based on the registry modifications.