Esc
Accessibility Features - T1546.008
(ATT&CK® Technique)
Definition
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1546008["Accessibility Features"] --> |may-create| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546008 OffensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; click T1546008 href "/offensive-technique/attack/T1546.008/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1546008["Accessibility Features"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546008 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1546008 href "/offensive-technique/attack/T1546.008/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1546008["Accessibility Features"] --> |may-modify| ExecutableBinary["Executable Binary"]; class T1546008 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1546008 href "/offensive-technique/attack/T1546.008/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.-> | May Detect | T1546008["Accessibility Features"] ; class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.-> | May Detect | T1546008["Accessibility Features"] ; class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.-> | May Detect | T1546008["Accessibility Features"] ; class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.-> | May Detect | T1546008["Accessibility Features"] ; class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; DecoyFile["Decoy File"] --> | spoofs | ExecutableBinary["Executable Binary"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1546008["Accessibility Features"] ; class DecoyFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; Client-serverPayloadProfiling["Client-server Payload Profiling"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; Client-serverPayloadProfiling["Client-server Payload Profiling"] -.-> | May Detect | T1546008["Accessibility Features"] ; class Client-serverPayloadProfiling DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.-> | May Detect | T1546008["Accessibility Features"] ; class NetworkTrafficCommunityDeviation DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.-> | May Detect | T1546008["Accessibility Features"] ; class ConnectionAttemptAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.-> | May Detect | T1546008["Accessibility Features"] ; class RemoteTerminalSessionDetection DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.-> | May Detect | T1546008["Accessibility Features"] ; class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1546008["Accessibility Features"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1546008["Accessibility Features"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableBinary["Executable Binary"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | May Detect | T1546008["Accessibility Features"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | ExecutableBinary["Executable Binary"]; FileEviction["File Eviction"] -.-> | May Evict | T1546008["Accessibility Features"] ; class FileEviction DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableBinary["Executable Binary"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1546008["Accessibility Features"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] --> | encrypts | ExecutableBinary["Executable Binary"]; FileEncryption["File Encryption"] -.-> | May Harden | T1546008["Accessibility Features"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; NetworkTrafficFiltering["Network Traffic Filtering"] --> | filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; NetworkTrafficFiltering["Network Traffic Filtering"] -.-> | May Isolate | T1546008["Accessibility Features"] ; class NetworkTrafficFiltering DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableBinary["Executable Binary"]; ExecutableDenylisting["Executable Denylisting"] -.-> | May Isolate | T1546008["Accessibility Features"] ; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableBinary["Executable Binary"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | May Isolate | T1546008["Accessibility Features"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"]; RestoreConfiguration["Restore Configuration"] -.-> | May Restore | T1546008["Accessibility Features"] ; class RestoreConfiguration DefensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] --> | restores | ExecutableBinary["Executable Binary"]; RestoreFile["Restore File"] -.-> | May Restore | T1546008["Accessibility Features"] ; class RestoreFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1546008["Accessibility Features"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis";