{
  "query": "Which technique involves replacing the Windows Sticky Keys executable with cmd.exe to obtain a SYSTEM shell at the logon screen?",
  "options": [
    {
      "text": "DLL search order hijacking",
      "explanation": "This technique causes an application to load a malicious dynamic link library by exploiting the DLL search order.",
      "correct": false,
      "selected": false
    },
    {
      "text": "Sticky Keys executable replacement",
      "explanation": "This method overwrites sethc.exe with cmd.exe so invoking Sticky Keys launches a SYSTEM command prompt.",
      "correct": true,
      "selected": false
    },
    {
      "text": "Pass the hash attack",
      "explanation": "This attack uses captured hashed credentials to authenticate as a user without knowing the plaintext password.",
      "correct": false,
      "selected": false
    }
  ],
  "answer": "<p>The correct answer is <b>Sticky Keys executable replacement</b>.</p><p>This technique works by replacing the accessibility executable, for example <b>Sticky Keys executable replacement</b> typically means swapping C:\\Windows\\System32\\sethc.exe with cmd.exe so that when the Sticky Keys trigger is activated at the logon screen a command prompt runs with the Local System account privileges.</p><p>Because the executable is launched by the logon process the spawned shell inherits SYSTEM privileges and it therefore provides a full elevated command shell without interactive sign in. Replacing the file usually requires either administrative write access to the System32 folder or offline modification of the system image or registry hive.</p><p><i>DLL search order hijacking</i> is incorrect because that technique abuses how Windows locates and loads DLLs for an application and it does not describe replacing the Sticky Keys executable to spawn cmd.exe at the logon screen.</p><p><i>Pass the hash attack</i> is incorrect because that is a credential reuse technique that authenticates using an NTLM hash rather than a plaintext password and it does not involve substituting accessibility executables to obtain a SYSTEM shell at the logon screen.</p>",
  "batch_id": "46",
  "answerCode": "2",
  "type": "multiple-choice",
  "originalQuery": "Bendtner, a professional hacker, gained initial access to a remote system via a compromised user. To gain root-level access, he copied the file sethc.exe from %systemroot%\\system32 and the file cmd.exe to another location. Now, he restarted the system and pressed the Shift key 5 times to launch Command Prompt with system-level access.",
  "originalOptions": "A. Privilege escalation using Dylib hijacking<br/>B. Privilege escalation by abusing boot or logon initialization scripts<br/>C. Privilege escalation by modifying domain policy<br/>D. Privilege escalation using Windows Sticky Keys",
  "domain": "Reconnaissance Techniques for Ethical Hacking",
  "hasImage": false,
  "queryImage": "",
  "queryImages": [],
  "allImages": [],
  "hasAnyImage": false,
  "deprecatedReference": false,
  "deprecatedMatches": {},
  "hasPre": false,
  "qid": "585s",
  "tip": "<p>When a question mentions replacing an accessibility executable at the logon screen think of <i>Sticky Keys</i> or utilman tricks and remember that this requires <i>write access to System32</i> or offline modification to succeed.</p>",
  "references": [
    "<a href=\"https://learn.microsoft.com/en-us/windows/accessibility/\">https://learn.microsoft.com/en-us/windows/accessibility/</a>",
    "<a href=\"https://attack.mitre.org/techniques/T1546/009/\">https://attack.mitre.org/techniques/T1546/009/</a>",
    "<a href=\"https://www.hackingarticles.in/windows-sticky-keys-and-utilman-backdoor/\">https://www.hackingarticles.in/windows-sticky-keys-and-utilman-backdoor/</a>"
  ],
  "video_url": "https://certificationation.com/videos/others/eccouncil/ethical-hacker/eccouncil-gained-initial-access-to-a-exam-585.html",
  "url": "https://certificationation.com/questions/others/eccouncil/ethical-hacker/eccouncil-gained-initial-access-to-a-exam-585.html"
}