Find sigma rule
Attack: Boot or Logon Autostart Execution: Winlogon Helper DLL
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\
and HKCU\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
- Winlogon\Notify - points to notification package DLLs that handle Winlogon events
- Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
- Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
MITRE
Tactic
- privilege-escalation
- persistence
technique
- T1547.004
Test : Winlogon Notify Key Logon Persistence - PowerShell
OS
- windows
Description:
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
Executor
powershell
Sigma Rule
-
posh_ps_winlogon_helper_dll.yml (id: 851c506b-6b7c-4ce2-8802-c703009d03c0)
-
registry_set_winlogon_notify_key.yml (id: bbf59793-6efb-4fa1-95ca-a7d288e52c88)