I first head about this backdoor a long time ago and never really thought it was practical, but it turns out I actually found this on an assessment recently so I figured I’d bring it up. It involves turning the stick keys feature into a backdoor.
Windows contains a feature called stick keys, which is an accessibility feature to help Windows users who have physical disabilities. It essentially serializes keystrokes instead of pressing multiple keys at a time, so it allows the user to press and release a modifier key, such as Shift, Ctrl, Alt, or the Windows key, and have it remain active until any other key is pressed. You activate stick keys by pressing the Shift key 5 times. When you activate stick keys, you are launching a file, C:\Windows\System32\sethc.exe, which executes as SYSTEM.
This is made into a backdoor by replacing the sethc.exe file with cmd.exe (renamed as sethc.exe). When you do this, you can activate sticky keys at the login prompt and you will get a SYSTEM command prompt.
Open a command prompt as administrator, enter the command REG ADD “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe” /v Debugger /t REG_SZ /d “C:\windows\system32\cmd.exe”
Reboot the machine, press the Shift key 5 times, and now you have SYSTEM privileges without having to log in.
To remove the backdoor, enter the command REG DELETE “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe” and confirm.
I used to think this really didn’t have much of a legitimate use. I guess if you want to elevate from Administrator to SYSTEM then this is one way to do it, but the real reason I think this is worth knowing is because System Administrators actually use this backdoor…and then forget to remove it.
So why would a System Administrator use a backdoor? The reason explained to me was that a Group Policy was configured to disable the built in accounts as soon as the system joined a domain, so this Sys Admin would run into situations where he needed a backdoor to get back into the system since the GPO disabled the accounts.
I guess the moral of the story is that if you’re assessing a system, it might be worth your time to check for the backdoor.