How does Brutus detect Sticky Keys backdoors?

Brutus automates the detection of Sticky Keys backdoors by scanning RDP services for signs of modified accessibility executables, enabling organizations to identify and remediate such vulnerabilities efficiently.

Why is detecting Sticky Keys backdoors important?

Detecting Sticky Keys backdoors is crucial because they can provide attackers with unauthorized system-level access, potentially leading to data breaches and other security incidents.

Brutus Integrates Sticky Keys Backdoor Detection to Strengthen RDP Security

Praetorian's Brutus now features automated detection of Sticky Keys backdoors in RDP services, enhancing organizations' ability to prevent unauthorized system access.

Published: March 14, 2026

Share this on:

Executive Summary

In February 2026, Praetorian released Brutus, an open-source credential testing tool designed to automate the detection of Sticky Keys backdoors in Remote Desktop Protocol (RDP) services. The Sticky Keys backdoor is a persistence mechanism where attackers replace accessibility executables like sethc.exe with cmd.exe, allowing unauthorized system-level access via the RDP login screen. Brutus enhances security assessments by integrating this detection capability, enabling organizations to identify and remediate such vulnerabilities efficiently. (helpnetsecurity.com)

The release of Brutus addresses the growing need for automated tools to detect and mitigate RDP-based backdoors, which have been exploited in various cyber attacks. By incorporating this functionality, Brutus aids security teams in proactively identifying and addressing potential entry points that could be leveraged by attackers to gain unauthorized access to systems.

Why This Matters Now

The integration of Sticky Keys backdoor detection into Brutus is crucial as attackers increasingly exploit RDP vulnerabilities to gain unauthorized access. Automated detection tools like Brutus enable organizations to proactively identify and remediate such backdoors, enhancing overall security posture.

Attack Path Analysis

An attacker exploited an exposed RDP service lacking Network Level Authentication (NLA) to gain unauthorized access. They then replaced the Sticky Keys binary with a command prompt executable to establish persistence. Using this backdoor, the attacker moved laterally within the network to access additional systems. They established command and control channels to maintain communication with compromised systems. Sensitive data was exfiltrated through these channels. Finally, the attacker deployed ransomware, encrypting critical data and disrupting business operations.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The attacker exploited an exposed RDP service without Network Level Authentication (NLA) to gain unauthorized access.

Confidence:

High

MITRE ATT&CK® Techniques

Persistence

T1546.008

Accessibility Features

Lateral Movement

T1563.002

RDP Hijacking

Lateral Movement

T1076

Remote Desktop Protocol

Initial Access

T1210

Exploitation of Remote Services

Lateral Movement

T1021.001

Remote Services: Remote Desktop Protocol

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Secure Remote Access

Control ID: 8.2.2

The incident exploited unsecured remote access mechanisms, violating the requirement to implement strong controls for remote access to cardholder data environments.

NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information

Control ID: 500.15

The unauthorized access via RDP indicates a failure to encrypt nonpublic information in transit, as mandated to protect sensitive data from interception.

DORA – ICT Risk Management Framework

Control ID: Article 6

The breach highlights deficiencies in the institution's ICT risk management framework, particularly in identifying and mitigating risks associated with remote access vulnerabilities.

CISA ZTMM 2.0 – Network and Environment Segmentation

Control ID: Pillar 3

The incident underscores the absence of proper network segmentation and access controls, essential components of a zero trust architecture to prevent lateral movement.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The exploitation of RDP vulnerabilities indicates non-compliance with required cybersecurity risk management measures, including the implementation of appropriate technical and organizational controls.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

RDP sticky keys persistence mechanisms threaten banking infrastructure, enabling unauthorized SYSTEM access bypassing network authentication controls for lateral movement and data exfiltration.

Health Care / Life Sciences

Healthcare systems face critical risk from pre-authentication RDP backdoors, potentially exposing patient data through compromised remote access without proper segmentation controls.

Government Administration

Government networks vulnerable to nation-state actors using sticky keys backdoors for persistent access, requiring enhanced east-west traffic monitoring and zero trust implementation.

Information Technology/IT

IT service providers face elevated exposure through RDP management interfaces, risking client environments via compromised remote administration tools and inadequate egress filtering.

Sources

Et Tu, RDP? Detecting Sticky Keys Backdoors with Brutus and WebAssemblyhttps://www.praetorian.com/blog/rdp-sticky-keys-backdoor-brutus/
Verified

Windows Sticky Keys/Utilman Registry cmd.exe Backdoorhttps://support.alertlogic.com/hc/en-us/articles/360007307931-Windows-Sticky-Keys-Utilman-Registry-cmd-exe-Backdoor

Verified

McAfee says Vista’s StickyKeys could be misusedhttps://www.computerworld.com/article/1479129/mcafee-says-vista-s-stickykeys-could-be-misused.html

Verified

Windows StickyKeys could pose security riskhttps://www.itnews.com.au/news/windows-stickykeys-could-pose-security-risk-75947

Verified

Frequently Asked Questions

The Sticky Keys backdoor is a persistence technique where attackers replace accessibility executables like sethc.exe with cmd.exe, allowing unauthorized system-level access via the RDP login screen.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Implementing Aviatrix Zero Trust CNSF could have significantly constrained the attacker's ability to exploit, persist, and propagate within the cloud environment, thereby reducing the overall impact of the incident.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit the exposed RDP service would likely have been limited, reducing the risk of unauthorized access.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges and establish persistence would likely have been constrained, reducing the risk of unauthorized control.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally within the network would likely have been restricted, reducing the risk of further system compromises.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish and maintain command and control channels would likely have been hindered, reducing the risk of sustained unauthorized communication.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data would likely have been obstructed, reducing the risk of data loss.

Impact (Mitigations)

The attacker's ability to deploy ransomware and encrypt critical data would likely have been mitigated, reducing the risk of operational disruption.

Impact at a Glance

Affected Business Functions

System Administration
User Authentication
Access Control

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential unauthorized access to sensitive system configurations and user data.

Recommended Actions

• Implement Network Level Authentication (NLA) to prevent unauthorized RDP access.
• Regularly monitor and audit registry changes to detect unauthorized modifications to accessibility binaries.
• Apply Zero Trust Segmentation to limit lateral movement within the network.
• Enforce egress security policies to detect and block unauthorized data exfiltration.
• Deploy threat detection systems to identify and respond to anomalous activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Brutus Integrates Sticky Keys Backdoor Detection to Strengthen RDP Security

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Accessibility Features

RDP Hijacking

Remote Desktop Protocol

Exploitation of Remote Services

Remote Services: Remote Desktop Protocol

Potential Compliance Exposure

PCI DSS 4.0 – Secure Remote Access

NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Network and Environment Segmentation

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Government Administration

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads