Event Triggered Execution: Accessibility Features

Other sub-techniques of Event Triggered Execution (18)

ID	Name
ATAGS-T1069.001	Accessibility Features
ATAGS-T1069.002	AppCert DLLs
ATAGS-T1069.003	AppInit DLLs
ATAGS-T1069.004	Application Shimming
ATAGS-T1069.005	Change Default File Association
ATAGS-T1069.006	Component Object Model Hijacking
ATAGS-T1069.007	Emond
ATAGS-T1069.008	Image File Execution Options Injection
ATAGS-T1069.009	Installer Packages
ATAGS-T1069.010	LC_LOAD_DYLIB Addition
ATAGS-T1069.011	Netsh Helper DLL
ATAGS-T1069.012	PowerShell Profile
ATAGS-T1069.013	Python Startup Hooks
ATAGS-T1069.014	Screensaver
ATAGS-T1069.015	Trap
ATAGS-T1069.016	Udev Rules
ATAGS-T1069.017	Unix Shell Configuration Modification
ATAGS-T1069.018	Windows Management Instrumentation Event Subscription

Threat Actors may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

ID: ATAGS-T1069.001

Sub-technique of: ATAGS-T1069

ⓘ

Tactic: Persistence

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.