Listen to this Post
Introduction:
The “sticky keys” backdoor remains one of the most overlooked yet high-impact privilege escalation vectors on Windows systems. By simply pressing Shift five times at a login screen, an attacker can replace the `sethc.exe` binary to spawn a SYSTEM-level command prompt, effectively bypassing authentication. While manual testing for this is trivial on a single machine, performing it across thousands of internet-exposed RDP servers is impractical. Security firm Praetorian has addressed this gap by integrating automated sticky keys detection into their open-source credential testing tool, Brutus, leveraging WebAssembly, pixel analysis, and even AI-driven confirmation to make large-scale RDP security assessments efficient and pipeline-ready.
Learning Objectives:
- Understand the mechanics of the sticky keys (sethc.exe) accessibility backdoor and its exploitation path.
- Learn how to deploy and use Brutus to automate the detection of this vulnerability across RDP endpoints.
- Explore integration techniques using tools like naabu and Nerva to build scalable RDP security scanning pipelines.
You Should Know:
- Setting Up Brutus for RDP Sticky Keys Detection
Brutus is a Go-based credential testing tool that now supports RDP through the IronRDP library, embedded via WebAssembly. This eliminates the need for CGO compilation or relying on GPL-licensed packages, making builds portable and cross-platform.
Step-by-step guide explaining what this does and how to use it:
– Step 1: Install Go – Ensure Go 1.20+ is installed on your Linux or Windows system.
Linux sudo apt update && sudo apt install golang-go -y Windows (via Chocolatey) choco install golang
– Step 2: Build Brutus from source – Clone the repository and build the binary. Note that the specific repository for the updated Brutus version is maintained by Praetorian; commands below are illustrative based on standard Go project practices.
git clone https://github.com/praetorian-inc/brutus.git cd brutus go build
– Step 3: Run a basic sticky keys detection scan – Target a single RDP server to test functionality.
./brutus rdp --target 192.168.1.100 --check-stickykeys
The tool will attempt to connect, send the five Shift keypress sequence via the RDP protocol, and analyze the screen state.
- Understanding RDP Configuration and the Sticky Keys Binary
The core vulnerability lies in Windows’ accessibility features. The binary `C:\Windows\System32\sethc.exe` is executed when the Shift key is pressed five times. If an attacker has write access to the file system (often via physical access, vulnerable services, or prior low-privilege compromise), replacing this binary with `cmd.exe` or `powershell.exe` grants pre-authentication SYSTEM access.
Step-by-step guide explaining what this does and how to use it:
– Manual exploitation check – To understand what Brutus automates, you can manually test a vulnerable server (with authorization):
1. Connect to the target via RDP.
- At the login screen, press the Shift key five times.
- If a command prompt appears instead of the sticky keys dialog, the backdoor is present.
– Mitigation commands – To harden a Windows system against this attack, restrict permissions on the binary:
Take ownership and remove inheritance takeown /f C:\Windows\System32\sethc.exe icacls C:\Windows\System32\sethc.exe /inheritance:r Remove all access for non-privileged users icacls C:\Windows\System32\sethc.exe /remove:g "BUILTIN\Users" icacls C:\Windows\System32\sethc.exe /grant:r "BUILTIN\Administrators:F"
– Detection via registry – Attackers may also modify the registry to point `sethc.exe` to a different binary. Check for:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
3. Leveraging Heuristic Pixel Analysis and AI Confirmation
Brutus employs a sophisticated heuristic to detect the `cmd.exe` or PowerShell popup. It captures the RDP session screen as pixel data and identifies characteristic window elements (title bar, command prompt appearance). For ambiguous cases, it can integrate with Vision API to perform AI-based optical character recognition and context analysis.
Step-by-step guide explaining what this does and how to use it:
– Enable heuristic analysis – By default, Brutus uses pixel analysis. No additional flags are needed, but you can increase verbosity:
./brutus rdp --target 10.0.0.5 --check-stickykeys -v
– Configure Vision integration – For AI-assisted confirmation, set your API key and enable the feature.
export CLAUDE_API_KEY="sk-ant-..." ./brutus rdp --target 10.0.0.5 --check-stickykeys --use-ai
The tool will send a base64-encoded screenshot to Vision for analysis, reducing false positives in complex login screen environments.
- Building a Scalable Scanning Pipeline with naabu and Nerva
The real power of Brutus emerges when combined with pipeline-ready tools. `naabu` (a fast port scanner) can discover RDP hosts, and `nerva` (a tool for handling large-scale scanning results) can orchestrate Brutus execution across thousands of targets.
Step-by-step guide explaining what this does and how to use it:
– Step 1: Discover RDP endpoints – Use naabu to scan a CIDR range for port 3389.
naabu -host 203.0.113.0/24 -p 3389 -silent -o rdp_targets.txt
– Step 2: Integrate with Nerva – Nerva can manage the queue. A sample pipeline command:
nerva run --input rdp_targets.txt --cmd "./brutus rdp --target {{.IP}} --check-stickykeys" --output results.json
– Step 3: Parse results – The results can be filtered for confirmed backdoors:
cat results.json | jq '.[] | select(.sticky_keys_found == true)'
5. Automating Detection and Remediation Workflows
Beyond detection, this toolchain enables automated remediation. Once a backdoor is confirmed, a playbook can trigger remote remediation via WinRM or Ansible, restoring the original `sethc.exe` from a trusted source.
Step-by-step guide explaining what this does and how to use it:
– Restore original binary using PowerShell Remoting – After detection, if administrative credentials are available:
Invoke-Command -ComputerName target.domain.com -ScriptBlock {
Copy-Item -Path "C:\Windows\WinSxS\amd64_microsoft-windows-accessibility_\sethc.exe" -Destination "C:\Windows\System32\sethc.exe" -Force
icacls "C:\Windows\System32\sethc.exe" /setowner "NT SERVICE\TrustedInstaller"
}
– Add to CI/CD pipeline – For DevSecOps, incorporate Brutus scans as a security gate:
Example GitHub Actions snippet
- name: RDP Sticky Keys Scan
run: |
./brutus rdp --target ${{ secrets.RDP_HOST }} --check-stickykeys
if [ $? -eq 0 ]; then echo "Vulnerability detected!"; exit 1; fi
What Undercode Say:
- Key Takeaway 1: The sticky keys backdoor is not a relic of the past—it remains a prevalent issue, with research suggesting 1 in 100 internet-exposed RDP servers still vulnerable. Automation is no longer optional for thorough penetration testing.
- Key Takeaway 2: Modern tooling like Brutus, which leverages WebAssembly and AI, demonstrates the shift toward more accessible, pipeline-friendly security tools. The removal of complex dependencies (like CGO or GPL libraries) lowers the barrier to entry for both offensive and defensive teams.
Prediction:
As RDP remains a top attack vector for ransomware and lateral movement, we can expect an arms race in both detection and evasion. Attackers will likely develop obfuscated accessibility backdoors that evade pixel-based detection, while defenders will increasingly adopt AI-driven analysis and automated remediation pipelines. The integration of such checks into continuous security validation platforms will become standard, moving sticky keys detection from a manual “nice-to-have” to a non-negotiable compliance control in cloud and on-premise environments. The success of Brutus may also inspire similar automation for other accessibility binaries (e.g., utilman.exe, osk.exe), further hardening the Windows login interface against physical and remote attackers.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hdmoore Congrats – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
