Windows User Sticky Key Values (osquery)


Description: This osquery command will list the users and their sticky key settings. Attackers often use the sticky key settings to gain access to a system.


SELECT user, logon_sid, logon_type, upn, data, split(path, '\', 1) AS sid
FROM (SELECT data, path FROM registry 
WHERE key LIKE 'HKEY_USERS\%\Control Panel\Accessibility\StickyKeys')
JOIN logon_sessions ON logon_sessions.logon_sid = sid;

Operating Systems: Windows Only