Technique on mitre.org

T1547.004: Winlogon Helper DLL

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon</code> and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</code> are used to manage additional helper programs and functionalities that support Winlogon.

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse:

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events
  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_persistence: PT-CR-267: Registry_Winlogon_Helper: Persistence by Winlogon component settings modifying

Detection

IDDS0011Data source and componentModule: Module LoadDescription

New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for the execution of processes that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.

Analytic 1 - Modification of the Winlogon Registry Key

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") | where (CommandLine LIKE "%Microsoft\Windows NT\CurrentVersion\Winlogon%" AND (CommandLine LIKE "%Userinit%" OR CommandLine LIKE "%Shell%" OR CommandLine LIKE "%Notify%")) AND (CommandLine LIKE "%reg%" OR CommandLine LIKE "%add%" OR CommandLine LIKE "%/d%" OR CommandLine LIKE "%Set-ItemProperty%" OR CommandLine LIKE "%New-ItemProperty%" CommandLine LIKE "%-value%")

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values.

Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify

source="*WinEventLog:Security" EventCode="4657" (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify") OR source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" (TargetObject="*Userinit" OR TargetObject="*Shell" OR TargetObject="*Notify")

Mitigation

IDM1038NameExecution PreventionDescription

Identify and block potentially malicious software that may be executed through the Winlogon helper process by using application control tools like AppLocker that are capable of auditing and/or blocking unknown DLLs.

IDM1018NameUser Account ManagementDescription

Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.