EDR: What is the Suspicious Sticky Keys process?
search cancel

EDR: What is the Suspicious Sticky Keys process?

book

Article ID: 286197

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

What is the Suspicious Sticky Keys process?

Environment

  • EDR Server: All Supported Versions

Resolution

  • Description: Similar to utilman.exe, sethc.exe can be replaced to bypass windows login
  • Threat: Potential for abuse or replacement
  • Recommended Score: Number (1-100) 
  • Query (example):  process_name:sethc.exe -file_desc:"Accessibility shortcut keys"

 
Powered by Wolken Software