Windows Sticky Keys Exploitation: A Critical Security Vulnerability in Windows Authentication Mechanisms
Richard Wadsworth
ISO 22301\27001A CSP BAPC SFPC SDPC SPOPC SMPC SSPC USFC ALPC CDSPC KEPC KIKF SPLPC DEPC DCPC DFPC DTPC IMPC CSFPC CEHPC SDLPC HDPC C3SA BTF CTIA CI\CCFI GAIPC CAIPC CAIEPC AIRMPC CPEFPC BCPC
The Windows Sticky Keys Exploit is a well-documented post-exploitation methodology that adversaries leverage to circumvent authentication mechanisms on Windows-based systems. This attack vector capitalizes on an inherent accessibility feature to elevate privileges and establish unauthorized control. Of particular concern is the exploitation of this technique on a Domain Controller (DC), where the implications extend beyond local privilege escalation to the compromise of Active Directory (AD) environments, enabling adversaries to extract domain administrative credentials and persist within enterprise networks.
The persistence and stealth of this exploit make it particularly attractive to threat actors seeking to escalate privileges in a Windows environment. Unlike more complex exploitation techniques that rely on zero-day vulnerabilities or advanced malware, this method utilizes built-in Windows functionality, making detection more challenging. Attackers employing this approach can effectively bypass endpoint detection and response (EDR) solutions, forensic monitoring, and traditional authentication safeguards.
This article critically examines the mechanics of the Sticky Keys Exploit, its applicability in penetrating Domain Controllers, and the defensive strategies necessary to mitigate its impact. Furthermore, we will explore the historical context of this exploit, its evolution in offensive cybersecurity operations, and its implications for enterprise security architectures.
Technical Overview of the Sticky Keys Exploit
Sticky Keys is an accessibility feature that facilitates ease of use for users who struggle with simultaneous key presses. The feature is activated through the Shift key pressed five consecutive times, invoking the sethc.exe executable prior to user authentication. This design choice allows users with disabilities to activate keyboard shortcuts without the need for complex input commands. However, this also presents a security risk when leveraged as an attack vector.
This exploit stems from the ability to manipulate system binaries prior to login, allowing attackers to replace the Sticky Keys executable (sethc.exe) with an arbitrary program such as cmd.exe. By leveraging this substitution, adversaries can invoke a privileged command shell without authentication, thereby compromising system integrity. Since the attack occurs at the Windows logon screen, before user authentication takes place, no traditional user privilege escalation is required.
Additionally, attackers may replace sethc.exe with other malicious payloads, such as PowerShell scripts that fetch malware from external sources, further extending the scope of compromise.
Exploiting Sticky Keys for Privilege Escalation
Step 1: Substituting sethc.exe
An attacker with physical or remote pre-boot access can modify system files by booting into Windows Recovery Mode or using a Live CD/USB. The attack follows these procedural steps: When in recovery mode check your drive paths.
find sethc.exe (which is sticky keys.
c:\Windows\System32\sethc.exe
Take a copy of the exe so you can revert back after using the hack by repeating the steps shown in the video.
copy c:\Windows\System32\sethc.exe c:\Windows\System32\sethcbk.exe
is replaced with:
copy c:\Windows\System32\cmd.exe c:\Windows\System32\sethc.exe
Alternatively, from the system32 folder an attacker may preserve the original binary to restore it post-compromise:
ren sethc.exe sethc.bak
copy cmd.exe sethc.exe
Step 2: Activation of the Exploit
Once the malicious substitution is in place, restarting the system and pressing Shift five times at the authentication screen triggers execution of cmd.exe—now running with NT AUTHORITY\SYSTEM privileges—providing an adversary with unrestricted command-line access. This level of access is equivalent to the highest system privileges, allowing the attacker to make administrative-level changes to the system.
Step 3: Establishing Persistent Access
With SYSTEM-level access, an adversary can establish a persistent presence by creating a new administrative user:
net user attacker SecurePass123 /add
net localgroup Administrators attacker /add
This allows for continued exploitation even if the original vulnerability is patched or mitigated. Additionally, attackers can modify security policies, disable auditing, and install additional backdoors to ensure long-term persistence.
From here you can reset the password of a user by:
net user USERNAME NEWPASS
The Impact of the Sticky Keys Exploit on Domain Controllers
When executed against a Domain Controller (DC), this exploit escalates from a local security incident to a full-fledged Active Directory compromise. The following are key risks posed when this technique is leveraged against a DC:
1. Extraction of Domain Administrator Credentials
Upon gaining SYSTEM-level access on a DC, an attacker can enumerate privileged accounts and extract credentials using: (whoami is command in later versions of windows)
whoami /groups
net user /domain
Moreover, tools such as Mimikatz can be employed to retrieve NTLM hashes and Kerberos tickets, allowing for Pass-the-Hash (PtH) or Golden Ticket attacks. These credential theft techniques enable adversaries to gain access to other systems within the network, effectively compromising the entire domain infrastructure.
2. Privilege Escalation via Account Manipulation
An adversary may escalate privileges by directly resetting the Domain Administrator account password:
net user Administrator NewSecurePassword /domain
This grants immediate control over Active Directory, facilitating lateral movement and long-term persistence. Attackers can also modify Group Policy Objects (GPOs) to propagate malicious configurations across the enterprise network.
3. Lateral Movement and AD Persistence
With elevated privileges, an adversary can:
Defensive Strategies Against Sticky Keys Exploitation
1. Restrict Unauthorized System Modifications
2. Implement Continuous Monitoring
3. Disable Sticky Keys as an Attack Vector
Administrators should proactively disable the Sticky Keys feature on the login screen by modifying the Windows Registry:
reg add "HKEY_LOCAL_MACHINE\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "506"
4. Harden Authentication Mechanisms
The Windows Sticky Keys Exploit exemplifies how accessibility features can be weaponized to subvert authentication protocols. While this attack is simple yet effective, its implications become critical when executed against Domain Controllers, leading to Active Directory compromises. Organizations must adopt a multi-layered security approach encompassing system hardening, privilege management, network segmentation, and real-time monitoring to mitigate this vulnerability and safeguard enterprise environments. Continuous security training, incident response planning, and proactive mitigation strategies are essential to reducing the risk posed by this and other privilege escalation techniques.
The video demonstrates how to use the repair wizard to exploit the operating system, create a new account, add it to the administrators' group, and reset the password of an existing user on a Windows 7 legacy system. The last part shows me putting the correct sethc.exe back
This still works on later operating systems, the same process, you use this at your own risk, but it is a great way of gaining access to your devices especially if they have been in storage and passwords long forgotten. But it is dangerous, never leave the operating system compromised. The fact this can be on a DC and expose your network administrator account is frightening.
I was able to do the same thing to Windows 11
v