The Windows registry is a goldmine for adversaries trying to maintain persistence on a compromised system. CrowdStrike® has already demonstrated a technique extensively used by adversaries and penetration testers to gain a system-level command prompt at the login screen by adding a debugger to accessibility tools; others have explored binary replacement to achieve the same effect. These are not the only two methods, however. The Windows registry contains a catalog of accessibility tools that can be manipulated to the same effect. Using this catalog of accessibility tools can provide an adversary with a lesser-known method of persistence that is unlikely to be detected by legacy security products.
This catalog lives within the following registry key and its subkeys:
Figure 1: ATs Registry Key and Subkey Tree
Of these, CrowdStrike successfully leveraged three tools: On-Screen Keyboard, Narrator, and Magnifier. Their entries reside in the following three subkeys, respectively:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\osk
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\narrator
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\magnifierpane
The subkeys contain a list of values that describe the functionality of the particular accessibility tool. One of these values is StartExe, which specifies the executable to run when the application is launched. Changing only the StartExe value allows an arbitrary program to run in place of the expected accessibility tool. Running Command Prompt in place of an accessibility tool is a technique that CrowdStrike has observed adversaries using in the past.
Figure 2. Magnifierpane Subkey Values
Replacing the values within these keys, by default, requires TrustedInstaller privileges (which can be obtained, for example, via metasploit).
Figure 3: Registry Key Privileges Output From PowerShell
For example, the following command will replace the StartExe value for Magnifier (magnifierpane) with cmd.exe (with TrustedInstaller privileges):
Figure 4: Command to Replace StartExe Value
From the login screen, Utility Manager (via Windows-U) provides access to Magnifier:
Figure 5: Utility Manager
Clicking on Magnifier will launch the Command Prompt with system-level privileges.
Figure 6: Command Prompt at Login Screen
Detection and Prevention
CrowdStrike Falcon® endpoint protection detects and prevents the use of this persistence mechanism. When the normal Windows logon process is bypassed, Falcon triggers a detection showing the full set of events relevant to the attack technique detailing what has occurred.
Falcon can also prevent this activity when the prevention policy for ‘Windows Logon Bypass (“Sticky Keys”)’ is enabled as seen in Figure 7.
Figure 7: Falcon Prevent™ Policy Showing Windows Logon Bypass Prevention
With the prevention policy enabled, Falcon will trigger a detection and automatically block the spawning of the set processes, thereby preventing the Windows logon bypass attempt.
This is just one example of how the CrowdStrike Falcon platform stops adversaries determined to exploit trusted systems and processes to establish persistence. To learn more about CrowdStrike’s comprehensive, next-gen endpoint protection, download the white paper: CrowdStrike Falcon: Setting the New Standard in Endpoint Protection.
Replace your legacy antivirus and dramatically improve protection and performance. Register for a free trial of CrowdStrike Falcon Prevent™ next-gen antivirus.