winlogon.exe

  • File Path: C:\WINDOWS\system32\winlogon.exe
  • Description: Windows Logon Application

Hashes

Type Hash
MD5 B343A0B87CB179B4FE694E5371DF909A
SHA1 D7FD755D95359AEA77E5EA36D4B9A522E00A033C
SHA256 B46FABE1490F8CF4FC3996D4BF8799C175F3027FCCB4285057DC72E1169CF1F7
SHA384 07830A1F3DD3EFDDA305F8F0F9C8C3EC5BC144415CEBA111F3DE4C2295A7DB30E8DDB56971AD4F047AF075FF3773ADAE
SHA512 3A5F134C25BE4AF25D6F8B18B0DCB39B405C2B6D5D28008894E66A34503308C916CBC71A9ADF6112A0B6A6CD3DF3A3A55E1056BD9BB16941589764FA73DD9052
SSDEEP 12288:zPM+tpW29SlyyUcoJDqkJVlyAvWBqRR/0tsffKiKP:rMepW2ZaoJDqkJVJ9imfKiKP
IMP 72EA4733B4A93330373128B7A1F8D6D4
PESHA1 36A217FE87AD46966B218A4F5A19C845C2E66576
PE256 BCB644DD5DF4CF8D152367015A796C4562CB5D3BE4A7B604F98524FEECE47705

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\RPCRT4.dll
C:\WINDOWS\System32\sechost.dll
C:\WINDOWS\system32\winlogon.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WINLOGON.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/b46fabe1490f8cf4fc3996d4bf8799c175f3027fccb4285057dc72e1169cf1f7/detection

Possible Misuse

The following table contains possible examples of winlogon.exe being misused. While winlogon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\winlogon.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\winlogon.exe' DRL 1.0
sigma posh_ps_winlogon_helper_dll.yml title: Winlogon Helper DLL DRL 1.0
sigma posh_ps_winlogon_helper_dll.yml description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. DRL 1.0
sigma posh_ps_winlogon_helper_dll.yml ScriptBlockText\|contains: 'CurrentVersion\Winlogon' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\winlogon.exe' DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml ParentImage: 'C:\Windows\System32\winlogon.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\winlogon.exe' DRL 1.0
sigma proc_creation_win_query_registry.yml - 'winlogon\' DRL 1.0
sigma proc_creation_win_stickykey_like_backdoor.yml ParentImage\|endswith: '\winlogon.exe' DRL 1.0
sigma proc_creation_win_susp_direct_asep_reg_keys_modification.yml - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' DRL 1.0
sigma proc_creation_win_susp_direct_asep_reg_keys_modification.yml - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\winlogon.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Winlogon\VmApplet' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Winlogon\Userinit' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Winlogon\Taskman' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Winlogon\Shell' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Winlogon\GpExtensions' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Winlogon\AppSetup' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Winlogon\AlternateShells\AvailableShells' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion_nt.yml - '\Winlogon\VmApplet' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion_nt.yml - '\Winlogon\Userinit' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion_nt.yml - '\Winlogon\Taskman' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion_nt.yml - '\Winlogon\Shell' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion_nt.yml - '\Winlogon\GpExtensions' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion_nt.yml - '\Winlogon\AppSetup' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion_nt.yml - '\Winlogon\AlternateShells\AvailableShells' DRL 1.0
sigma registry_event_winlogon_notify_key.yml title: Winlogon Notify Key Logon Persistence DRL 1.0
sigma registry_event_winlogon_notify_key.yml Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. DRL 1.0
sigma registry_event_winlogon_notify_key.yml Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. DRL 1.0
sigma registry_event_winlogon_notify_key.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell DRL 1.0
sigma registry_event_winlogon_notify_key.yml TargetObject\|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon' DRL 1.0
malware-ioc misp_invisimole.json "description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n\nThe <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n\nThe following Registry keys can control automatic startup of services during boot:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit</code> and <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell</code> subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager</code> is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", © ESET 2014-2018
malware-ioc rtm %PROGRAMDATA%\Winlogon\winlogon.lnk © ESET 2014-2018
malware-ioc rtm %PROGRAMDATA%\Winlogon\*.dtt © ESET 2014-2018
malware-ioc rtm Windows Update = rundll32.exe "%PROGRAMDATA%\Winlogon\winlogon.lnk",DllGetClassObject host © ESET 2014-2018
malware-ioc rtm === Main DLL (winlogon.lnk) © ESET 2014-2018
malware-ioc rtm Winlogon © ESET 2014-2018
malware-ioc rtm \\winlogon.lnk © ESET 2014-2018
malware-ioc rtm SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon © ESET 2014-2018
malware-ioc misp-xdspy-event.json "value": "%APPDATA%\\WINinit\\WINlogon.exe", © ESET 2014-2018
malware-ioc xdspy * ++%APPDATA%\WINinit\WINlogon.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team index.md - T1547.004 Winlogon Helper DLL MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1547.004 Winlogon Helper DLL MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Systemd Service | Winlogon Helper DLL | Pass the Ticket | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Winlogon Helper DLL | | Process Hollowing | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Shortcut Modification | Winlogon Helper DLL | Odbcconf | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Winlogon Helper DLL | | Portable Executable Injection CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell” MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md # T1547.004 - Winlogon Helper DLL MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md <blockquote>Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013) MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md * Winlogon\Notify - points to notification package DLLs that handle Winlogon events MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md * Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md - Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md - Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md - Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md ## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Shell” “explorer.exe, #{binary_to_execute}” -Force MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Remove-ItemProperty -Path “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name “Shell” -Force -ErrorAction Ignore MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md ## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Userinit” “Userinit.exe, #{binary_to_execute}” -Force MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Remove-ItemProperty -Path “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name “Userinit” -Force -ErrorAction Ignore MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md ## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md New-Item “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” -Force MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” “logon” “#{binary_to_execute}” -Force MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Remove-Item “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” -Force -ErrorAction Ignore MIT License. © 2018 Red Canary
signature-base apt_codoso.yar $s3 = “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” fullword ascii /* Goodware String - occured 10 times */ CC BY-NC 4.0
signature-base apt_codoso.yar $s10 = “winlogon” fullword ascii /* Goodware String - occured 4 times */ CC BY-NC 4.0
signature-base apt_keyboys.yar $x4 = “reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d 4 /f” fullword ascii CC BY-NC 4.0
signature-base apt_poisonivy.yar $s3 = “winlogon.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘5’ / / Goodware String - occured 13 times */ CC BY-NC 4.0
signature-base apt_sofacy_cannon.yar $s3 = “Windows NT\CurrentVersion\Winlogon"” fullword wide CC BY-NC 4.0
signature-base apt_volatile_cedar.yar $s9 = “WinAutologon From Winlogon Reg” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\%s” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of winlogon.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “winlogon.exe” CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file winlogon.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “winlogon.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.