T1547.004 - Winlogon Helper DLL
Author: Stefan Waldvogel
LimaCharlie vs. Account Manipulation
Overview:
Description from ATT&CK
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
Winlogon\Notify - points to notification package DLLs that handle Winlogon events
Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1547.004 -ShowDetailsBrief
Invoke-AtomicTest T1547.004 -CheckPrereqs
Invoke-AtomicTest T1547.004 -GetPrereqs
Invoke-AtomicTest T1547.004 -TestNumbers 1
Invoke-AtomicTest T1547.004 -Cleanup
Changes:
-none-
Limitations:
-none-
Results:
This section has 3 subtests.
Invoke-AtomicTest T1547.004 -TestNumbers 1, powershell detected
Invoke-AtomicTest T1547.004 -TestNumbers 2, powershell detected
Invoke-AtomicTest T1547.004 -TestNumbers 3, powershell detected
Description from ATT&CK
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
Winlogon\Notify - points to notification package DLLs that handle Winlogon events
Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1547.004 -ShowDetailsBrief
Invoke-AtomicTest T1547.004 -CheckPrereqs
Invoke-AtomicTest T1547.004 -GetPrereqs
Invoke-AtomicTest T1547.004 -TestNumbers 1
Invoke-AtomicTest T1547.004 -Cleanup
Changes:
-none-
Limitations:
-none-
Results:
This section has 3 subtests.
Invoke-AtomicTest T1547.004 -TestNumbers 1, powershell detected
Invoke-AtomicTest T1547.004 -TestNumbers 2, powershell detected
Invoke-AtomicTest T1547.004 -TestNumbers 3, powershell detected
© 2021. This work is licensed under a CC BY-SA 4.0 license