├── License ├── README.md └── TestFor-StickyKey.ps1 /License: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2016 Jonathan C Trull 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # sticky-keys-scanner 2 | 3 | A PowerShell function that scans for the existence of Sticky Key backdoors. 4 | 5 | You can either import and run this PowerShell function locally on the suspected computer 6 | or use PowerShell remoting to run the scanner across multiple computers using the Invoke-Command 7 | cmdlet. 8 | 9 | What are Sticky Key backdoors? 10 | 11 | Sticky Keys are part of the Windows operating system and are designed for people with difficulty 12 | holding down two or more keys simultaneously. There are two primary methods for installing the backdoor. 13 | 14 | (1) Attackers replace accessibility programs (sethc.exe, utilman.exe, osk.exe, narrator.exe, magnify.exe, 15 | displayswitch.exe) with programs that provide system-level shell access such as explorer.exe, cmd.exe, 16 | or powershell.exe. and/or 17 | 18 | (2) Attackers modify the registry to set cmd.exe and other shell programs as debuggers for the above listed 19 | accessibility programs. For example: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File 20 | Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe" 21 | 22 | Once installed, an attacker can access the backdoor by pressing the appropriate accessibility sticky key. 23 | For example, windows_key+u key combination would be pressed by the attacker to gain access to a system-level command 24 | prompt if the utilman.exe program was targeted. 25 | 26 | Credits: 27 | 28 | http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Proactive-APT-Hunting-Style-Joshua-Theimer-and-Hao-Wang-EY.pdf 29 | http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html 30 | https://zachgrace.com/2015/03/23/hunting-sticky-keys-backdoors.html 31 | https://www.crowdstrike.com/blog/registry-analysis-with-crowdresponse/ 32 | http://www.jonathanmedd.net/2014/02/testing-for-the-presence-of-a-registry-key-and-value.html 33 | -------------------------------------------------------------------------------- /TestFor-StickyKey.ps1: -------------------------------------------------------------------------------- 1 | function TestFor-StickyKey { 2 | 3 | Write-Host 4 | 5 | $cmdHash = Get-FileHash -LiteralPath $env:windir\System32\cmd.exe 6 | $psHash = Get-FileHash -LiteralPath $env:windir\System32\WindowsPowerShell\v1.0\powershell.exe 7 | $explorerHash = Get-FileHash -LiteralPath $env:windir\explorer.exe 8 | $sethcHash = Get-FileHash -LiteralPath $env:windir\System32\sethc.exe 9 | $oskHash = Get-FileHash -LiteralPath $env:windir\System32\osk.exe 10 | $narratorHash = Get-FileHash -LiteralPath $env:windir\System32\Narrator.exe 11 | $magnifyHash = Get-FileHash -LiteralPath $env:windir\System32\Magnify.exe 12 | $displayswitchHash = Get-FileHash -LiteralPath $env:windir\System32\DisplaySwitch.exe 13 | 14 | if ($cmdHash.Hash -eq $sethcHash.Hash) { 15 | 16 | Write-Output "Possible backdoor found. sethc.exe replaced with cmd.exe" 17 | Write-Host 18 | Write-Output "Checked the following hashes:" 19 | Write-Output "cmd.exe: $($cmdHash.Hash)" 20 | Write-Output "sethc.exe: $($sethcHash.Hash)" 21 | Write-Host 22 | 23 | } 24 | 25 | if ($explorerHash.Hash -eq $sethcHash.Hash) { 26 | 27 | Write-Output "Possible backdoor found. sethc.exe replaced with explorer.exe" 28 | Write-Host 29 | Write-Output "Checked the following hashes:" 30 | Write-Output "explorer.exe: $($explorerHash.Hash)" 31 | Write-Output "sethc.exe: $($sethcHash.Hash)" 32 | Write-Host 33 | 34 | } 35 | 36 | if ($psHash.Hash -eq $sethcHash.Hash) { 37 | 38 | Write-Output "Possible backdoor found. sethc.exe replaced with powershell.exe" 39 | Write-Host 40 | Write-Output "Checked the following hashes:" 41 | Write-Output "powershell.exe: $($psHash.Hash)" 42 | Write-Output "sethc.exe: $($sethcHash.Hash)" 43 | Write-Host 44 | 45 | } 46 | 47 | if ($cmdHash.Hash -eq $oskHash.Hash) { 48 | 49 | Write-Output "Possible backdoor found. osk.exe replaced with cmd.exe" 50 | Write-Host 51 | Write-Output "Checked the following hashes:" 52 | Write-Output "cmd.exe: $($cmdHash.Hash)" 53 | Write-Output "osk.exe: $($oskHash.Hash)" 54 | Write-Host 55 | 56 | } 57 | 58 | if ($explorerHash.Hash -eq $oskHash.Hash) { 59 | 60 | Write-Output "Possible backdoor found. osk.exe replaced with explorer.exe" 61 | Write-Host 62 | Write-Output "Checked the following hashes:" 63 | Write-Output "explorer.exe: $($explorerHash.Hash)" 64 | Write-Output "osk.exe: $($oskHash.Hash)" 65 | Write-Host 66 | 67 | } 68 | 69 | if ($psHash.Hash -eq $oskHash.Hash) { 70 | 71 | Write-Output "Possible backdoor found. osk.exe replaced with powershell.exe" 72 | Write-Host 73 | Write-Output "Checked the following hashes:" 74 | Write-Output "powershell.exe: $($psHash.Hash)" 75 | Write-Output "osk.exe: $($oskHash.Hash)" 76 | Write-Host 77 | 78 | } 79 | 80 | if ($cmdHash.Hash -eq $narratorHash.Hash) { 81 | 82 | Write-Output "Possible backdoor found. narrator.exe replaced with cmd.exe" 83 | Write-Host 84 | Write-Output "Checked the following hashes:" 85 | Write-Output "cmd.exe: $($cmdHash.Hash)" 86 | Write-Output "narrator.exe: $($narrator.Hash)" 87 | Write-Host 88 | 89 | } 90 | 91 | if ($explorerHash.Hash -eq $narratorHash.Hash) { 92 | 93 | Write-Output "Possible backdoor found. narrator.exe replaced with explorer.exe" 94 | Write-Host 95 | Write-Output "Checked the following hashes:" 96 | Write-Output "explorer.exe: $($explorerHash.Hash)" 97 | Write-Output "narrator.exe: $($narratorHash.Hash)" 98 | Write-Host 99 | 100 | } 101 | 102 | if ($psHash.Hash -eq $narratorHash.Hash) { 103 | 104 | Write-Output "Possible backdoor found. narrator.exe replaced with powershell.exe" 105 | Write-Host 106 | Write-Output "Checked the following hashes:" 107 | Write-Output "powershell.exe: $($psHash.Hash)" 108 | Write-Output "narrator.exe: $($oskHash.Hash)" 109 | Write-Host 110 | 111 | } 112 | 113 | if ($cmdHash.Hash -eq $magnifyHash.Hash) { 114 | 115 | Write-Output "Possible backdoor found. magnify.exe replaced with powershell.exe" 116 | Write-Host 117 | Write-Output "Checked the following hashes:" 118 | Write-Output "cmd.exe: $($cmdHash.Hash)" 119 | Write-Output "magnify.exe: $($magnifyHash.Hash)" 120 | Write-Host 121 | 122 | } 123 | 124 | if ($explorerHash.Hash -eq $magnifycHash.Hash) { 125 | 126 | Write-Output "Possible backdoor found. sethc.exe replaced with explorer.exe" 127 | Write-Host 128 | Write-Output "Checked the following hashes:" 129 | Write-Output "explorer.exe: $($explorerHash.Hash)" 130 | Write-Output "magnify.exe: $($magnifyHash.Hash)" 131 | Write-Host 132 | 133 | } 134 | 135 | if ($psHash.Hash -eq $magnifyHash.Hash) { 136 | 137 | Write-Output "Possible backdoor found. magnify.exe replaced with powershell.exe" 138 | Write-Host 139 | Write-Output "Checked the following hashes:" 140 | Write-Output "powershell.exe: $($psHash.Hash)" 141 | Write-Output "magnify.exe: $($magnifyHash.Hash)" 142 | Write-Host 143 | 144 | } 145 | 146 | if ($cmdHash.Hash -eq $displayswitchHash.Hash) { 147 | 148 | Write-Output "Possible backdoor found. displayswitch.exe replaced with powershell.exe" 149 | Write-Host 150 | Write-Output "Checked the following hashes:" 151 | Write-Output "cmd.exe: $($cmdHash.Hash)" 152 | Write-Output "displayswitch.exe: $($displayswitchHash.Hash)" 153 | Write-Host 154 | 155 | } 156 | 157 | if ($explorerHash.Hash -eq $displayswitchHash.Hash) { 158 | 159 | Write-Output "Possible backdoor found. displayswitch.exe replaced with explorer.exe" 160 | Write-Host 161 | Write-Output "Checked the following hashes:" 162 | Write-Output "explorer.exe: $($explorerHash.Hash)" 163 | Write-Output "displayswitch.exe: $($displayswitchHash.Hash)" 164 | Write-Host 165 | 166 | } 167 | 168 | if ($psHash.Hash -eq $displayswitchHash.Hash) { 169 | 170 | Write-Output "Possible backdoor found. displayswitch.exe replaced with powershell.exe" 171 | Write-Host 172 | Write-Output "Checked the following hashes:" 173 | Write-Output "powershell.exe: $($psHash.Hash)" 174 | Write-Output "displayswitch.exe: $($magnifyHash.Hash)" 175 | Write-Host 176 | 177 | } 178 | 179 | $key = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\' 180 | $nameSethc = 'sethc.exe' 181 | $nameUtilman = 'utilman.exe' 182 | $property = 'Debugger' 183 | 184 | if (Test-Path -LiteralPath ($key + $nameSethc)) { 185 | 186 | $tb = Get-Item -LiteralPath ($key + $nameSethc) 187 | 188 | if ($tb.GetValue($property) -ne $null) { 189 | 190 | Write-Output "Possible backdoor identified at:" 191 | Get-Item -LiteralPath ($key + $nameSethc) 192 | Write-Output "" 193 | Write-Output "Investigate to determine if value of Debugger property set to system-level shell 194 | - e.g., cmd.exe" 195 | Write-Host 196 | 197 | } 198 | 199 | } 200 | 201 | if (Test-Path -LiteralPath ($key + $nameUtilman)) { 202 | 203 | $tb = Get-Item -LiteralPath ($key + $nameUtilman) 204 | 205 | if ($tb.GetValue($property) -ne $null) { 206 | 207 | Write-Output "Possible backdoor identified at:" 208 | Get-Item -LiteralPath ($key + $nameUtilman) 209 | Write-Output "" 210 | Write-Output "Investigate to determine if value of Debugger property set to system-level shell 211 | - e.g., cmd.exe" 212 | Write-Host 213 | 214 | } 215 | 216 | } 217 | 218 | } 219 | 220 | --------------------------------------------------------------------------------