{
	"id": "928d1fdc-a4fd-476d-952f-a4c009c58463",
	"created_at": "2026-04-06T01:31:55.093134Z",
	"updated_at": "2026-04-10T03:22:03.483735Z",
	"deleted_at": null,
	"sha1_hash": "7f61fc08682b1b49eaa76d663a06f393b8198229",
	"title": "Sticky Keys to the Kingdom",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1055202,
	"plain_text": "Sticky Keys to the Kingdom\r\nArchived: 2026-04-06 01:03:33 UTC\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 1 of 14\n\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 2 of 14\n\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 3 of 14\n\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 4 of 14\n\nMore Related Content\r\nPDF\r\nUpping the APT hunting game: learn the best YARA practices from Kaspersky\r\nPDF\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 5 of 14\n\nA Year in the Empire\r\nPDF\r\naclpwn - Active Directory ACL exploitation with BloodHound\r\nPDF\r\nSEH overwrite and its exploitability\r\nPDF\r\nAem dispatcher – tips \u0026 tricks\r\nPDF\r\nWindows attacks - AT is the new black\r\nPPTX\r\nPSConfEU - Offensive Active Directory (With PowerShell!)\r\nPPTX\r\nHere Be Dragons: The Unexplored Land of Active Directory ACLs\r\nWhat's hot\r\nPDF\r\nSecure Coding principles by example: Build Security In from the start - Carlo...\r\nPPTX\r\nDeep dive into Java security architecture\r\nPPTX\r\nSecure coding practices\r\nPPT\r\niOS Application Pentesting\r\nPDF\r\nMonitoring your Python with Prometheus (Python Ireland April 2015)\r\nPPTX\r\nNetcat - A Swiss Army Tool\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 6 of 14\n\nPDF\r\nAutomation with ansible\r\nPDF\r\nWindows Threat Hunting\r\nPDF\r\nCNIT 126: 10: Kernel Debugging with WinDbg\r\nPDF\r\nOpenStack keystone identity service\r\nPPTX\r\nBridging the Gap\r\nPDF\r\nThick Client Penetration Testing.pdf\r\nPPTX\r\nBuilding secure applications with keycloak\r\nPPTX\r\nMalware Static Analysis\r\nODP\r\nGraylog\r\nPPTX\r\nRACE - Minimal Rights and ACE for Active Directory Dominance\r\nPDF\r\nOwasp zap\r\nPPTX\r\nVault\r\nPPTX\r\nIntro to Pentesting Jenkins\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 7 of 14\n\nPDF\r\nHunting for Privilege Escalation in Windows Environment\r\nViewers also liked\r\nPPTX\r\nHacking Access Control Systems\r\nPPTX\r\nGetting Started in Information Security\r\nPPTX\r\nMetasploit for Web Workshop\r\nPDF\r\nZpusob Vyuky Marketingove Komunikace Na Pef Czu V Praze\r\nDOC\r\nSame Origin Policy Weaknesses\r\nPDF\r\nPaměťové techniky\r\nPDF\r\nTechniky učení\r\nPDF\r\nePUB 3 and Publishing e-books\r\nPPTX\r\nEvaluating and Selecting a Learning Management System\r\nPPTX\r\nWindows 7 Security\r\nPPTX\r\nAccess Controls Attacks\r\nPPTX\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 8 of 14\n\nKali net hunter\r\nPPT\r\nBuilding An Information Security Awareness Program\r\nSimilar to Sticky Keys to the Kingdom\r\nPDF\r\nDEFCON 23 - Gerard Laygui - forensic artifacts pass the hash att\r\nPDF\r\nCNIT 121: 12 Investigating Windows Systems (Part 3)\r\nPDF\r\nWindows Attacks AT is the new black\r\nPPTX\r\nOwning computers without shell access 2\r\nPDF\r\n[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들\r\nPDF\r\nCNIT 152 12. Investigating Windows Systems (Part 3)\r\nPDF\r\nHunting Lateral Movement in Windows Infrastructure\r\nPDF\r\nNtxissacsc5 red 1 \u0026amp; 2 basic hacking tools ncc group\r\nPPTX\r\nKheirkhabarov24052017_phdays7\r\nPPTX\r\nГоризонтальные перемещения в инфраструктуре Windows\r\nPPT\r\nComputer Forensics \u0026amp; Windows Registry\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 9 of 14\n\nPDF\r\nThe Dark Side of PowerShell by George Dobrea\r\nPPT\r\nComputer Forensics \u0026amp; Windows Registry\r\nPPTX\r\nIllegal_File_Transferring_Memory_Forensics.pptx\r\nPDF\r\nCNIT 152: 12 Investigating Windows Systems (Part 2 of 3)\r\nPPTX\r\nWindows Malware Techniques\r\nPPT\r\nMalware forensics\r\nPDF\r\nEver Present Persistence - Established Footholds Seen in the Wild\r\nPPTX\r\nSo you want to be a security expert\r\nPPTX\r\nCyber security and ethical hacking 9\r\nRecently uploaded\r\nPDF\r\nWebinar Serie 2026 - HCL Notes 2026 durchleuchtet\r\nPDF\r\nClaude token security issues and overall security architecture\r\nPPTX\r\nAutomating Form Validation and Verification with Multi-Modal LLMs\r\nPDF\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 10 of 14\n\nEmpowering BFSI with ThousandEyes Real-Time Digital Performance Intelligence\r\nPDF\r\n2025 Infrastructure Resilience Blueprint\r\nPDF\r\nEnergy Aware Combinatorial Optimization.pdf\r\nPPTX\r\nAutomating GitHub Changelog Reading with AI Agentic Workflows for Faster Updates\r\nPDF\r\nThe Agentic AI Foundation: Architecting Autonomous Systems for 2026 and Beyond\r\nPDF\r\nHow a Gated Community Operates on Ground?\r\nPPTX\r\nAutomating YAML Reusable Workflow Updates with GitHub Agentic Workflows for S...\r\nPDF\r\nAdvanced Quantization Techniques for Large Language Models in 2026\r\nPPTX\r\nComprehensive Introduction to Blockchain Technology for Maritime Sector Appli...\r\nPDF\r\nScaling Applications from Prototype to Millions of Users: Architecture and Be...\r\nPDF\r\nĐộng cơ hơi nước đôi bản vẽ chi tiết và bản vẽ lắp\r\nPPTX\r\nComprehensive Guide to Access Control and Security Vulnerabilities\r\nPPTX\r\nHyper-Aether: AI-Native Computing with Dynamic VM Fabric Architecture\r\nPPTX\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 11 of 14\n\nTutorial on Artificial Intelligence.pptx\r\nPPTX\r\nChallenges and Opportunities for Research Centers in the AI Era: Innovation, ...\r\nDOCX\r\nComprehensive Guide to Buying Apple ID Accounts for Business and Personal Use\r\nPDF\r\nThe Automated Factory A Strategic Blueprint for Modern Production Workflows\r\nSticky Keys to the Kingdom\r\n1.\r\nSticky Keys tothe Kingdom PRE-AUTH SYSTEM RCE ON WINDOWS IS MORE COMMON THAN\r\nYOU THINK DENNIS MALDONADO \u0026 TIM MCGUFFIN LARES\r\n2.\r\nAbout Us • DennisMaldonado • Adversarial Engineer – LARES Consulting • Founder • Houston Locksport\r\n• Houston Area Hackers Anonymous (HAHA) • Tim McGuffin • RedTeam Manager – LARES Consulting\r\n• 10-year DEFCON Goon • DEFCON CTF Participant • Former CCDCTeam Coach www.lares.com\r\n3.\r\nHistory • “How toResetWindows Passwords” websites • Replace sethc.exe or utilman.exe with cmd.exe •\r\nReboot, Press Shift 5x orWIN+U • net user (username) (password) • Login! • Nobody ever cleans up after\r\nthemselves • Can be used as a backdoor/persistence method • NoWindows Event Logs are generated when\r\nbackdoor is executed\r\n4.\r\nImplementation • Binary Replacement •Replace any of the accessibility tool binaries • Requires elevated\r\nrights • Registry (Debugger Method) • HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File\r\nExecution Optionssethc.exe • Debugger REG_SZ C:WindowsSystem32cmd.exe • Requires elevated rights\r\n5.\r\nWindows Accessibility Tools BinaryDescription How to access C:WindowsSystem32sethc.exe\r\nAccessibility shortcut keys Shift 5 times C:WindowsSystem32Utilman.exe Utility Manager Windows Key\r\n+ U C:WindowsSystem32osk.exe On-Screen Keyboard Locate the option on the screen using the mouse\r\nC:WindowsSystem32Magnify.exe Magnifier Windows Key + [Equal Sign]\r\nC:WindowsSystem32Narrator.exe Narrator Windows Key + Enter C:WindowsSystem32DisplaySwitch.exe\r\nDisplay Switcher Windows Key + P C:WindowsSystem32AtBroker.exe Manages switching of apps\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 12 of 14\n\nbetween desktops Have osk.exe, Magnify.exe, or Narrator.exe open then lock the computer. AtBroker.exe\r\nwill be executed upon locking and unlocking\r\n6.\r\nLimitations • Elevated accessor offline system required • Replacing binary must be Digitally Signed •\r\nReplacing binary must exist in System32 • Replacing binary must exist inWindows “Protected File” list •\r\nYou can’t use any old Binary, but you can cmd.exe /c file.bat\r\n7.\r\nBackground • While workingwith an Incident ResponseTeam: • Uncovered dozens of vulnerable hosts via\r\nfile checks • Identification was done from the filesystem side • Missed the debugger method • Missed any\r\nunmanaged boxes • Needed a network-based scanner\r\n8.\r\nBackground • We wantedto write out own network-based tool • Started down the JavaRDP/Python Path •\r\nRan across @ztgrace’s PoC script, Sticky Keys Hunter • It worked, and was a great starting point • Similar\r\nto “PeepingTom” • Opens a Remote Desktop connection • Sends keyboard presses • Saves screenshot to a\r\nfile • To do list including automatic command prompt detection and multi-threading\r\n9.\r\nOur Solution –Sticky Key Slayer • Parallelized scanning of multiple hosts • Automated command prompt\r\ndetection • Detailed logging • Error handling • Performance improvements • Bash\r\n10.\r\n15.\r\nTools Usage • ./stickyKeysSlayer.sh-v -j 8 -t 10 targetlist.txt • -v • Verbose output • -j \u003cnum_of_jobs\u003e •\r\nJobs to run (defaults to 1) • -t \u003ctime_in_seconds\u003e • Timeout in seconds (defaults to 30 seconds) •\r\ntargetlist.txt • Hosts list delimited by line\r\n16.\r\nLimitations • Ties upa LinuxVM while scanning • Needed for window focus and screenshotting • Will not\r\nalert on anything that is not cmd.exe • Ran across taskmgr.exe, mmc.exe, other custom applications\r\n17.\r\nStatistics • On alarge Business ISP: • Over 100,000 boxes scanned • About 571 Command Prompts • 1 out\r\nof 175 • All types of Institutions • Educational Institutions • Law Offices • Manufacturing Facilities •\r\nGaming companies • Etc…\r\n18.\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 13 of 14\n\nRecommendations • Remediation • Deleteor replace the affected file (sethc.exe, utilman.exe, …) • sfc.exe\r\n/scannnow • Remove the affected registry entry • Treat this as an indicator of compromise • Prevention and\r\nDetection • Restrict local administrative access • Enable full disk encryption • Network\r\nLevelAuthentication for Remote Desktop Connection • End point monitoring • Netflow analysis\r\n19.\r\nTool Release • Codeis on Github • https://github.com/linuz/Sticky-Keys-Slayer • Contribute • Report Issues\r\n• Send us feedback • Slides • http://www.slideshare.net/DennisMaldonado5/sticky-keys- to-the-kingdom •\r\nDemoVideo • https://www.youtube.com/watch?v=Jy4hg4a1FYI www.lares.com\r\n20.\r\nEditor's Notes\r\n#2 Tim\r\n#3 Tim\r\n#4 Tim Find better top screenshot\r\n#5 Tim\r\n#6 Tim\r\n#7 Tim\r\n#8 Tim\r\n#9 Tim\r\n#10 Dennis\r\n#11 Dennis\r\n#13 Dennis\r\n#14 Dennis\r\n#15 Dennis\r\n#16 Dennis Write this slide on tool usage. Help stuff\r\n#17 Dennis\r\n#18 Tim\r\n#19 Dennis\r\n#20 Dennis Write this slide\r\n#21 Dennis\r\nSource: https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nhttps://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom"
	],
	"report_names": [
		"sticky-keys-to-the-kingdom"
	],
	"threat_actors": [],
	"ts_created_at": 1775439115,
	"ts_updated_at": 1775791323,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f61fc08682b1b49eaa76d663a06f393b8198229.pdf",
		"text": "https://archive.orkl.eu/7f61fc08682b1b49eaa76d663a06f393b8198229.txt",
		"img": "https://archive.orkl.eu/7f61fc08682b1b49eaa76d663a06f393b8198229.jpg"
	}
}