Accessibility Features

00:00

hello and welcome to another application of the minor attack framework discussion. Today. We're going to be looking at accessibility features, so let's jump right into our objectives.

00:12

So today's objectives are pretty straight forward. We're going to look at what accessibility features are discussed. Some common attack methods. We're going to discuss sticky keys on RTP, so we're gonna look at a specific example where accessibility features air used to, you know, maintain persistence in the environment.

00:30

We're going to discuss the mitigation techniques,

00:33

and we're going to discuss some detection techniques as well. So what? That let's jump in and look at what accessibility features means. So in minor windows contains features that can be launched with key combinations before user longs into a system

00:51

so threat actors have the capability to modify the way these accessibility features launch

00:57

to get a command prompter back door without having too long into a system. And so

01:02

what would look at in our next example? As far as the RTP sticky Keys feature is where a threat actor when you press shift five times instead of getting the sticky key function,

01:14

you get, ah, command prompt, and so this can be used

01:18

to replace that, execute herbal and then provide you with a command prompt that has system level access. Now, before we jump into that example, let's look at some common attack methods with this particular vector.

01:30

So using sticky keys again, you can obtain unauthorized unauthenticated, privileged consul access. So that's

01:40

pretty big. But there's a few things that have to be done ahead of time. Remember I said that the execute herbal for sticky keys has to be replaced with the command XY

01:51

execute herbal, so it's not something that they can just do right out the gate. A change has to be made. Threat Actors have replaced binaries associated with the S E T H C XY to establish persistence, sticky keys replacement within RTP sessions to obtain persistence

02:09

again. This can also be used

02:12

to bypass the RTP long and screen on remote systems. Wmata debugging has been used to remotely replace binaries like the someone mentioned above you. Tillman on and magnify XY, which are all utilities within the

02:28

accessibility features with the command dot xy

02:32

excusable. So again,

02:36

part of this is going to be understanding how these could impact is persistence and how, If they're not, Skander looked at regularly, a threat actor could possibly go unnoticed.

02:46

So let's take a quick look at the sticky keys on RTP example here. So

02:53

it's beneficial that we break this down these air essentially the steps at a high level, and we're not going to get into new degree detail on the actual manipulation of the registry keys to make this change. But an at a glance, a threat actor would have to replace the sticky keys, execute herbal

03:09

to spawn the command, not dxy instead of running this. And so essentially,

03:14

this is being replaced with command dot xy. So this means even if the account is removed as far as how this one actor initially gained access, remember earlier in our first discussion,

03:27

we said that a threat actor may need to do multiple things once they gain access to a system to maintain persistence. And so they may not just install a backdoor because that could get caught. They may not just change your service because that could be found out as well, so they may do a multitude of things to attempt to keep access to a system

03:46

and that includes ways that they can get back into a system, even if the account they initially compromise

03:52

is removed. And so this is the same here. So even if the account is removed, the system allows you despond a command prompt a system, which is a high level of privilege for that particular command prompt. And so then the Threat actor opens an RTP session to the server and uses

04:10

an invalid user account to stay on that screen. So they keep that open

04:14

through just an invalid user, not logging in. And then the Threat actor would essentially hit shift five times. And this would spawn a system level command problem. Because these utilities are accessible prior to longing into a system. And so because

04:30

that utility has been manipulated to spawn a command prompt instead of the sticky key features,

04:35

it would give the command prompt instead after hitting those keys five times. And so that's something that we want to be aware of within the accessibility features. And this has been recently patched and updated and addressed.

04:46

And as usual, if you're running rdp directly to the Internet and longing into it directly, there's probably VP ends or gateways that you'd want to implement toe, you know, further mitigate the ability of thrown actors to do these things.

05:00

So with that, let's go ahead and talk about some mitigation techniques. So use of some form of execution prevention, like antivirus white listing tools, etcetera, having those things in place that block known malicious entities no malicious attacks

05:14

is going to be a given limit. Access to resource is over the network, and if remote connections are allowed, access to internal network should be even more limited. So again, we had talked about VPN access early on in our discussions,

05:29

and that if a user longs in over VPN connection,

05:32

their access to the network and to re sources should be limited to just what is necessary to function and do their job. They shouldn't be able to see the entire network. From a logical standpoint, they shouldn't be able to access other systems. They shouldn't be ableto paying other systems.

05:47

And again, there are things such as the land hopping and things that are threat actor could do to try and break out of this. But

05:55

again, the goal is to slow them down to, you know, prevent the rapid spread of infection and changes to systems and give, you know, blue team members or security operation members time to get notifications on those activities and potentially stop that threat before it becomes more widespread.

06:14

And then another thing that could be done is the utilisation of network level authentication prior to giving a user the session too long into the network s. So again, this is important with Rdp, as the user must provide legitimate credentials prior to being given access to a session too long into. So

06:32

they'll get the prompt,

06:34

have to provide credentials before they ever get to that initial log in screen. And so this could help to mitigate some of those sticky key capabilities

06:44

that you know they would be able to take advantage of if they were just directly given the log in at the rd p session. So

06:50

this is just a few examples here. You could implement things like Rdp gateways. You can implement V P M

06:58

along with RTP gateways. I mean, there's just a number of ways that you could work to make it that much harder for threat actors to take advantage of things like sticky keys or some of these accessibility features.

07:10

Now,

07:12

when we get into detection techniques, we don't have a huge list here.

07:15

But essentially again, focusing on accessibility features any changes made to accessibility. You utility binaries should be reviewed in users, and administrators really shouldn't be making changes to these areas. And there's nothing really that I could think of.

07:33

That would be normal business process unless you're writing applications to enhance

07:38

these features. But most of us aren't doing that type of work. And so if we are doing some form of network monitoring

07:46

when these activities take place,

07:47

we definitely want to take the time to review them. And then changes to the paths of these utility should be reviewed as well. So again, rarely should we be manipulating file paths for these accessibility features is, well, assistant tools and built in tools and things of that nature. Unless again, we have business software

08:07

that is designed to manipulate these areas for specific purposes. But if we don't have any reasons to be doing so,

08:15

then we should be evaluating that Is those issues come up or is those things come up?

08:20

So with that in mind, Let's go ahead and look A quick check on learning

08:24

true or false sticky keys is activated by pressing the shift key five times.

08:31

All right. Well, if you need some additional time to review the question, please pause The video do so. So sticky. Keys again is an accessibility feature. And as we indicated in the RTP review area, you have to press the shift key five times in orderto activate sticky keys. And so in this case, that would be

08:50

a true statement. So

08:52

with that, let's go ahead and jump over to our summary.

09:00

All right, so today summary we discussed accessibility features again. These are things like the magnify XY sticky keys, any of those utilities that a threat actor could manipulate and used to pose as a legitimate function

09:15

to provide them system level access or to allow them to bypass other controls

09:20

or authentication measures. We discussed some common attack methods. We looked at sticky keys on RTP again, having to change registry keys and information. Prior to this, being a viable attack method

09:33

or persistence mechanism has to be done, so there has to be some other form of compromise prior to getting to this point. But if you've got already P open to the world, I suggest you review your systems and add additional controls to protect those systems. We discussed some mitigation techniques, such as monitoring for binary. I'm sorry.

09:52

Blocking changes to binaries and blocking software is using things like antivirus and other controls