Analysis Summary

A long-standing DLL-hijack vulnerability in Windows’ Narrator accessibility tool enables attackers to execute code stealthily by abusing how Narrator loads speech engine DLLs. First called out by Hexacorn in 2013, the issue remains relevant in modern Windows 10 and 11 builds: Narrator.exe will load MSTTSLocOneCoreEnUS.dll (under %windir%\system32\speech_onecore\engines\tts) and will execute code placed in that DLL without requiring any exported functions. Researchers have shown that a malicious DLL’s DllMain attach routine can be used to trigger payloads and, crucially for stealth, to suspend Narrator’s main thread so the voice and visual cues that would normally alert a user are suppressed.

Persistence is trivial once the malicious DLL is in place. At the user level an attacker can create a registry value under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility named configuration with the value Narrator to cause the DLL to load at user logon; the Researcher confirmed this survives logoff and relaunches silently. The same technique scales to SYSTEM persistence by applying the same registry modification under HKLM, which launches Narrator at the lock/login screen and runs the hijacked DLL with elevated privileges. A public proof-of-concept (noted on GitHub) demonstrates these techniques and the evasion that freezes Narrator while executing arbitrary code.

The attack also supports remote and lateral movement. An adversary who gains remote registry access (for example using Impacket tools) can deploy the malicious DLL to a target machine and modify HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer to 0. That change, combined with triggering Narrator at the login screen (Ctrl+Win+Enter), allows execution as SYSTEM before the session fully starts, enabling rapid process migration to maintain access. Researchers further showed that attackers can abuse “Bring Your Own Accessibility” by importing registry entries that point accessibility tool registrations to arbitrary executables (even UNC network paths), broadening delivery and execution options.

These findings emphasize that legacy behaviors in accessibility subsystems remain attackable and deserve monitoring: organizations should watch for unexpected changes to accessibility-related registry keys, validate DLL load paths under %windir% (especially speech engine locations), and restrict remote registry and RDP configuration changes. The technique is notable for requiring minimal privileges after initial placement (user-level persistence) yet allowing escalation to SYSTEM, and while no CVE was assigned at the time of reporting, the operational risk is real defenders must treat accessibility features as potential attack surfaces and apply registry and file-monitoring controls accordingly.

Impact

• Code Execution
• Gain Access

Remediation

• Restrict filesystem permissions: ensure only TrustedInstaller/Administrators can write to %windir%\system32\speech_onecore\engines\tts (and other system DLL folders).
• Lock down specific DLLs: set explicit ACLs on MSTTSLocOneCoreEnUS.dll (and other speech engine DLLs) to prevent replacement by non-privileged accounts.
• Enforce code-signing policies: deploy AppLocker or Windows Defender Application Control (WDAC) to allow only trusted, signed DLLs and executables to load.
• Enable EDR/antivirus monitoring: ensure real-time scanning and EDR rules look for suspicious DLL loads into Narrator.exe, unexpected DllMain behavior, and APIs that suspend threads.
• Monitor and alert on registry changes: create alerts for writes/creates/renames to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility and the equivalent HKLM key, especially changes to a configuration value set to Narrator.
• Audit file integrity: implement FIM to watch for additions or modifications in %windir%\system32\speech_onecore\engines\tts and other OS folders; forward events to your SIEM.
• Harden RDP and remote registry: require NLA and strong cipher/security layer for RDP (SecurityLayer != 0), disable unnecessary remote registry service access, and restrict remote administration to approved jump hosts and admin subnets.