Windows Accessibility Flaw Allows Stealthy Persistence and Lateral Movement via Narrator DLL Hijack

A persistent vulnerability related to DLL hijacking has been identified in the Narrator accessibility tool, which has been a significant concern over time.

This flaw allows malicious actors to exploit the tool, potentially compromising the security of systems that rely on it for accessibility features.

Noted initially in reports dating back to 2013 by expert Hexacorn, the flaw persists in modern Windows 10 and 11 versions, allowing attackers with local administrator privileges to achieve stealthy code execution, system persistence, and even remote lateral movement.

TrustedSec discovery, inspired by mining tactics from VX-Underground repositories, highlights how everyday accessibility features can be weaponized for malicious ends.

The technique exploits Narrator.exe’s loading of the MSTTSLocOneCoreEnUS.dll from the path %windir%\system32\speech_onecore\engines\tts.

By replacing this DLL with a malicious version, attackers can execute arbitrary code upon Narrator launch, without requiring any exports.

The DLL’s DllMain attach function triggers the payload, but researchers refined it to suspend Narrator’s main thread, silencing the tool’s voice output and preventing visual cues that could alert users.

A proof-of-concept on GitHub demonstrates this evasion, freezing Narrator while running custom code undetected.

User-Level Persistence via Registry Tweaks

Attackers can embed this hijack to automatically execute at logon by modifying the registry.

Under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility, creating a REG_SZ value named “configuration” set to “Narrator” triggers the DLL on user login.

TrustedSec tests confirmed seamless persistence post-logoff, with the malicious DLL loading silently. This method requires no elevated privileges beyond initial access, making it ideal for maintaining footholds in user contexts.

For broader impact, the technique extends to SYSTEM-level persistence by applying the same registry change under HKLM, launching Narrator at the login screen with elevated privileges.

Lateral movement adds another layer: attackers with remote registry access via tools like Impacket can deploy the DLL and alter HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer to 0.

RDP connection to the target then allows triggering Narrator via Ctrl+Win+Enter at login, executing the payload as SYSTEM before the session closes, forcing quick process migration for sustained access.

Researchers also demonstrated “Bring Your Own Accessibility,” crafting custom accessibility tools (ATs) via registry exports and imports, pointing to arbitrary executables, even UNC network paths for remote payload delivery.

Triggering via ATBroker.exe /start further enhances flexibility. While no CVE has been assigned yet, this underscores the risks of unpatched legacy behaviors in accessibility features, urging organizations to monitor registry changes and DLL paths rigorously.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.