> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/persistence/t1015-sethc.md).

# Sticky Keys

## Execution

Replace the originali sethc.exe with a cmd.exe and rename it. You may need to change sethc.exe owner to yourself first as TrustedIntaller may be giving you a hard time:

![](/files/-LI2keQv_N9EOG3hhqnY)

![](/files/-LI2kIQx0zYFEUarD5nO)

Hit shift 5 times while on the logon screen to invoke the backdoor:

![](/files/-LI2liUhh3mtk4gAw6lD)

## Observations

If you notice sethc.exe spawning well known windows processes, you may want to investigate the endpoint further:

![](/files/-LI2juUGYZvXZn5Au1un)
