T1546.008 Accessibility Features
T1136 Create Account
T1068 Exploitation for Privilege Escalation
Activity was observed on host Henry (172.16.17.149) where Utilman.exe was launched by Winlogon.exe and executed the command net user superman onepunch123 /add, indicating local account creation with elevated privileges.
An attacker modified the Windows accessibility binary Utilman.exe by renaming the original file and replacing it with cmd.exe. After rebooting the system, the attacker leveraged the accessibility feature at the Windows logon screen to obtain SYSTEM-level command prompt access. From this elevated context, a new user account “superman” was created and added to the local administrators group.
Jun 21, 2023, 11:02 AM
Hostname: Henry
IP Address: 172.16.17.149
File Path: C:\Windows\System32\utilman.exe
Parent Process: Winlogon.exe
The attacker abused the Windows accessibility feature (Utilman.exe), which can be launched before authentication at the login screen. By replacing utilman.exe with cmd.exe, the attacker obtained a SYSTEM-level shell prior to user authentication. This allowed creation of a new privileged account without valid credentials, resulting in successful local privilege escalation and persistence.
Evidence
utilman.exe renamed to utilman.old
cmd.exe copied to utilman.exe
System rebooted
Command executed: net user superman onepunch123 /add
Command executed: net localgroup administrators superman
Process launched from Winlogon.exe
Device Action: Allowed
The alert was confirmed as a True Positive. Immediate containment actions included isolating the host, removing the unauthorized account, restoring the original utilman.exe binary