DET0033 Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification

Item	Value
ID	DET0033
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.008 (Accessibility Features)

Analytics

Windows

AN0094

Defenders can observe suspicious replacement or tampering of system accessibility binaries (e.g., utilman.exe, sethc.exe, osk.exe) and anomalous modifications to registry keys used to redirect accessibility programs (such as IFEO keys). Additionally, execution of cmd.exe or other suspicious binaries triggered from the login screen by SYSTEM can be correlated as part of a behavior chain.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
File Metadata (DC0059)	WinEventLog:Sysmon	EventCode=15

Mutable Elements

Field	Description
TimeWindow	Time between registry modification and suspicious binary execution (e.g., < 1 hour) can be tuned.
TargetBinaryNames	Specific binaries monitored (e.g., utilman.exe, sethc.exe) can be adjusted per OS version and risk tolerance.
ParentProcess	Parent process of cmd.exe (e.g., winlogon.exe) may vary across legitimate and adversarial cases.
UserContext	Context of SYSTEM account execution vs. administrative sessions may influence tuning.
CommandLineContains	Tunable patterns such as launching cmd.exe, powershell, or LOLBins from accessibility binaries.