{
  "query": "Which Windows privilege escalation technique replaces sethc.exe with cmd.exe so that activating Sticky Keys opens a SYSTEM command prompt?",
  "options": [
    {
      "text": "DLL search order hijacking",
      "explanation": "This places a malicious DLL where the OS will load it instead of the legitimate library to gain elevated privileges.",
      "correct": false,
      "selected": false
    },
    {
      "text": "Windows Sticky Keys bypass",
      "explanation": "This replaces the Sticky Keys executable with cmd.exe so pressing Shift five times opens a SYSTEM command shell.",
      "correct": true,
      "selected": false
    },
    {
      "text": "Modifying startup scripts",
      "explanation": "This changes boot or logon scripts so arbitrary code executes with elevated permissions during startup or user logon.",
      "correct": false,
      "selected": false
    }
  ],
  "answer": "<p>The correct answer is <b>Windows Sticky Keys bypass</b>.</p><p><b>Windows Sticky Keys bypass</b> is the technique that replaces the accessibility executable sethc.exe with cmd.exe so that pressing the Shift key five times at the login or lock screen launches a command prompt running with SYSTEM privileges. The accessibility program is launched by the system when the Sticky Keys shortcut is invoked and a replaced sethc.exe will run cmd.exe under those same elevated credentials which gives an attacker a SYSTEM shell.</p><p><i>DLL search order hijacking</i> is a different attack that abuses how Windows locates and loads DLLs for applications and it does not involve replacing sethc.exe or triggering Sticky Keys.</p><p><i>Modifying startup scripts</i> refers to changing logon scripts or scheduled tasks to run code at boot or user logon and it is not the same as swapping the Sticky Keys executable to obtain an immediate SYSTEM command prompt.</p>",
  "batch_id": "58",
  "answerCode": "2",
  "type": "multiple-choice",
  "originalQuery": "Maldini, a professional hacker, gained initial access to a remote system via a compromised user. To gain root-level access, he copied the file sethc.exe from %systemroot%\\system32 and the file cmd.exe to another location. Now, he restarted the system and pressed the Shift key 5 times to launch Command Prompt with system-level access. Which of the following privilege escalation techniques did Maldini employ in the above scenario?",
  "originalOptions": "A. Privilege escalation using Windows Sticky Keys<br/>B. Privilege escalation by modifying domain policy<br/>C. Privilege escalation by abusing boot or logon initialization scripts<br/>D. Privilege escalation using Dylib hijacking",
  "domain": "Reconnaissance Techniques for Ethical Hacking",
  "hasImage": false,
  "queryImage": "",
  "queryImages": [],
  "allImages": [],
  "hasAnyImage": false,
  "deprecatedReference": false,
  "deprecatedMatches": {},
  "hasPre": false,
  "qid": "1543s",
  "tip": "<p>Pay attention to exact feature names such as <i>sethc.exe</i> or <i>Sticky Keys</i> in answer choices because questions about privilege escalation often hinge on the specific file or accessibility feature being abused.</p>",
  "references": [],
  "video_url": "https://certificationation.com/videos/others/eccouncil/ethical-hacker/eccouncil-gained-initial-access-to-a-exam-1543.html",
  "url": "https://certificationation.com/questions/others/eccouncil/ethical-hacker/eccouncil-gained-initial-access-to-a-exam-1543.html"
}