Persistence on Windows with BackDoors (4/4)
4. Windows Login screen with Sticky Keys or Utilman
It is the last part of basic backdooring for persistence. In our case, we have already had a connection with target via RDP. So, we can use sticky keys or utilman as a backdoor so that we can get access the terminal on login screen without signing the credentials.
If you did not configure the Sticky Keys options disabling it because it works on login screen by pressing the SHIFT 5 times.
By this way, Windows executes the seth.exe from binary in System32. If we replace it with our payload, then trigger the cmd.exe on login screen. First, we should take the ownership and grant for the modification permission with the following commands:
Now, lock the session from Start Menu to try our backdoor…
Here is the login screen to get access to the terminal triggering our payload.
Press SHIFT 5 times, get the cmd.exe instead of sticky keys.
The second method to get terminal access on login screen is to abuse Utilman which is used to get Ease of Access option on login screen. On the same way, Windows executes the utilman.exe in System32, and similar process can be conducted to set backdoor shortcut for login screen. We can replace utilman.exe with our payload to trigger Command Prompt granting the privileges first as we did with seth.exe.
Now, lock the current session to see it.
…and continue clicking on the Ease of Access options.
It triggers the cmd.exe since we replace the utilman with our payload.