This POC bash script tests for sticky keys and utilman backdoors. The script will connect to an RDP server, send both the sticky keys and utilman triggers and screenshot the result.
This script was written to prove a theory I had about detecting these backdoors in a blackbox fashion, and hasn't been updated since I wrote my blog post, Hunting Sticky Keys Backdoors. However, @DennisMald and @notmedic furthered this research and released the Sticky Keys Slayer tool at their DEF CON 24 presentation, Sticky Keys To The Kingdom. Check out their tool as it has many improvements over this POC script.
- Connects to RDP using rdesktop
- Sends shift 5 times using xdotool to trigger sethc.exe backdoors
- Sends Windows+u using xdotool to trigger utilman.exe backdoors
- Takes screenshot
- Kills RDP connection
- Linux host running an X server
- The following packages: xdotool imagemagick rdesktop bc
3. Debian/Ubuntu/Kali install:
apt-get install xdotool imagemagick rdesktop bc
- Screen cannot be locked during this process or all of the screenshots will turn out black
Scan a single host: ./stickyKeysHunter.sh 192.168.1.10
Scan Multiple hosts: for i in $(cat list.txt); do ./stickyKeysHunter.sh "${i}"; done
- Automatically analyze screenshots with OCR or image processing to identify backdoors.
- Speed up/multithread the tool.