EDR: What is the Suspicious Sticky Keys process?
book
Article ID: 286197
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
What is the Suspicious Sticky Keys process?
Environment
- EDR Server: All Supported Versions
Resolution
- Description: Similar to utilman.exe, sethc.exe can be replaced to bypass windows login
- Threat: Potential for abuse or replacement
- Recommended Score: Number (1-100)
- Query (example): process_name:sethc.exe -file_desc:"Accessibility shortcut keys"
Feedback
thumb_up
Yes
thumb_down
No