Windows Sticky Keys in Hands of Hackers

The Sticky Keys accessibility feature in Windows is designed to help users who have difficulty holding down multiple keys at once. However, attackers have long abused it as a backdoor for privilege escalation and persistence. By replacing the sethc.exe binary with a command prompt or another malicious executable, an attacker can bypass authentication at the login screen and gain SYSTEM-level access.

This article explores how hackers weaponize Sticky Keys, along with Red Team techniques, Blue Team countermeasures, and real-world case studies where this exploit has been observed.

How Sticky Keys Exploit Works

Sticky Keys can be activated by pressing Shift five times at the Windows login screen. If an attacker has replaced the binary, this keystroke launches a command prompt with elevated privileges, without requiring credentials.

Classic Attack Path

  1. Gain physical or remote access to the target machine.
  2. Boot into recovery mode or use other methods to access the filesystem.
  3. Replace C:\Windows\System32\sethc.exe with a copy of cmd.exe (or another payload).
  4. Restart the system.
  5. At the login screen, press Shift x5.
  6. A command prompt with SYSTEM privileges appears, allowing full control.

Red Team Perspective

From an offensive security standpoint, Sticky Keys exploitation provides:

  • Persistence Mechanism: Even if the system reboots, the backdoor remains unless detected.
  • Credential Dumping Gateway: Attackers can run tools like mimikatz to extract cached credentials.
  • Privilege Escalation: Low-level access can be turned into full SYSTEM rights.

Example Red Team Commands

# Backup original sethc.exe
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
 
# Replace Sticky Keys with cmd.exe
copy /y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

After reboot, pressing Shift five times at login spawns a SYSTEM-level shell.

Blue Team Perspective

For defenders, the Sticky Keys attack is a well-known but still dangerous technique. Security teams should focus on prevention, detection, and incident response.

Defensive Measures

  1. File Integrity Monitoring (FIM): Track changes to accessibility binaries (sethc.exe, utilman.exe, etc.).
  2. Application Whitelisting: Use tools like Windows Defender Application Control (WDAC) to block unauthorized replacements.
  3. Enable Credential Guard & LSA Protection: Mitigates credential dumping after SYSTEM-level access.
  4. Restrict Recovery Options: Prevent attackers from booting into recovery mode without admin approval.
  5. Centralized Logging: Monitor unusual process launches at the login screen.

Detection Example (Sysmon Rule)

<RuleGroup name="Detect Sticky Keys Backdoor" groupRelation="or">
  <FileCreateTime onmatch="exclude" />
  <FileCreate onmatch="include">
    <TargetFilename condition="end with">sethc.exe</TargetFilename>
    <Image condition="end with">cmd.exe</Image>
  </FileCreate>
</RuleGroup>

Real-World Case Studies

Ransomware Groups Leveraging Sticky Keys

Several ransomware operators have been documented using Sticky Keys backdoors to regain access to infected systems. After deploying ransomware, attackers would replace accessibility executables so they could re-enter compromised systems for negotiation or re-encryption.

APT Campaigns for Persistence

Advanced Persistent Threat (APT) groups have exploited Sticky Keys as a low-profile persistence method in high-value targets. In some intrusions, Sticky Keys backdoors were discovered months after the initial compromise, highlighting their stealth and effectiveness when defenders lacked integrity monitoring.

Insider Threat Exploitation

There have been reports in corporate environments where disgruntled insiders modified Sticky Keys binaries before leaving the company. This allowed them to return later with SYSTEM-level access, bypassing domain authentication controls.

Conclusion

The Sticky Keys backdoor is a classic Windows privilege escalation trick that remains relevant even today. While simple, it underscores how accessibility features can be turned into powerful hacking tools when not properly secured.

  • Red Teams use it as a reliable persistence mechanism.
  • Blue Teams must implement strong monitoring and integrity controls to prevent abuse.
  • Real-world incidents show Sticky Keys backdoors being leveraged by both ransomware actors and nation-state APTs.

Ultimately, defending against Sticky Keys exploitation is about hardening system files, monitoring anomalies, and limiting attacker access paths.

***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.

Related Cybersecurity Guides and Tutorials:

Understanding Host-Based Authentication:

Understanding Host-Based Authentication: Security, Risks, and Best Practices

Secure Shell (SSH)

Secure Shell (SSH) Proving Methods: An Overview for Red and Blue Teams

Where Are You

Where Are You Really? The Geolocation Data Cybercriminals Want

Enumerating SBM Shares

Enumerating SBM Shares