| sigma |
sysmon_suspicious_remote_thread.yml |
- '\winlogon.exe' |
DRL 1.0 |
| sigma |
file_event_win_creation_system_file.yml |
- '\winlogon.exe' |
DRL 1.0 |
| sigma |
posh_ps_winlogon_helper_dll.yml |
title: Winlogon Helper DLL |
DRL 1.0 |
| sigma |
posh_ps_winlogon_helper_dll.yml |
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. |
DRL 1.0 |
| sigma |
posh_ps_winlogon_helper_dll.yml |
ScriptBlockText\|contains: 'CurrentVersion\Winlogon' |
DRL 1.0 |
| sigma |
proc_creation_win_abusing_debug_privilege.yml |
- '\winlogon.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_lolbin_wlrmdr.yml |
ParentImage: 'C:\Windows\System32\winlogon.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_proc_wrong_parent.yml |
- '\winlogon.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_query_registry.yml |
- 'winlogon\' |
DRL 1.0 |
| sigma |
proc_creation_win_stickykey_like_backdoor.yml |
ParentImage\|endswith: '\winlogon.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_direct_asep_reg_keys_modification.yml |
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_direct_asep_reg_keys_modification.yml |
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' |
DRL 1.0 |
| sigma |
proc_creation_win_system_exe_anomaly.yml |
- '\winlogon.exe' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification.yml |
- '\Winlogon\VmApplet' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification.yml |
- '\Winlogon\Userinit' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification.yml |
- '\Winlogon\Taskman' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification.yml |
- '\Winlogon\Shell' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification.yml |
- '\Winlogon\GpExtensions' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification.yml |
- '\Winlogon\AppSetup' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification.yml |
- '\Winlogon\AlternateShells\AvailableShells' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion_nt.yml |
- '\Winlogon\VmApplet' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion_nt.yml |
- '\Winlogon\Userinit' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion_nt.yml |
- '\Winlogon\Taskman' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion_nt.yml |
- '\Winlogon\Shell' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion_nt.yml |
- '\Winlogon\GpExtensions' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion_nt.yml |
- '\Winlogon\AppSetup' |
DRL 1.0 |
| sigma |
registry_event_asep_reg_keys_modification_currentversion_nt.yml |
- '\Winlogon\AlternateShells\AvailableShells' |
DRL 1.0 |
| sigma |
registry_event_winlogon_notify_key.yml |
title: Winlogon Notify Key Logon Persistence |
DRL 1.0 |
| sigma |
registry_event_winlogon_notify_key.yml |
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. |
DRL 1.0 |
| sigma |
registry_event_winlogon_notify_key.yml |
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. |
DRL 1.0 |
| sigma |
registry_event_winlogon_notify_key.yml |
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell |
DRL 1.0 |
| sigma |
registry_event_winlogon_notify_key.yml |
TargetObject\|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon' |
DRL 1.0 |
| malware-ioc |
misp_invisimole.json |
"description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n\nThe <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n\nThe following Registry keys can control automatic startup of services during boot:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit</code> and <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell</code> subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager</code> is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", |
© ESET 2014-2018 |
| malware-ioc |
rtm |
%PROGRAMDATA%\Winlogon\winlogon.lnk |
© ESET 2014-2018 |
| malware-ioc |
rtm |
%PROGRAMDATA%\Winlogon\*.dtt |
© ESET 2014-2018 |
| malware-ioc |
rtm |
Windows Update = rundll32.exe "%PROGRAMDATA%\Winlogon\winlogon.lnk",DllGetClassObject host |
© ESET 2014-2018 |
| malware-ioc |
rtm |
=== Main DLL (winlogon.lnk) |
© ESET 2014-2018 |
| malware-ioc |
rtm |
Winlogon |
© ESET 2014-2018 |
| malware-ioc |
rtm |
\\winlogon.lnk |
© ESET 2014-2018 |
| malware-ioc |
rtm |
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon |
© ESET 2014-2018 |
| malware-ioc |
misp-xdspy-event.json |
"value": "%APPDATA%\\WINinit\\WINlogon.exe", |
© ESET 2014-2018 |
| malware-ioc |
xdspy |
* ++%APPDATA%\WINinit\WINlogon.exe++``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| atomic-red-team |
index.md |
- T1547.004 Winlogon Helper DLL |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- T1547.004 Winlogon Helper DLL |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
matrix.md |
| | | Systemd Service | Winlogon Helper DLL | Pass the Ticket | | | | | | | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
matrix.md |
| | | Winlogon Helper DLL | | Process Hollowing | | | | | | | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-matrix.md |
| | | Shortcut Modification | Winlogon Helper DLL | Odbcconf | | | | | | | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-matrix.md |
| | | Winlogon Helper DLL | | Portable Executable Injection CONTRIBUTE A TEST | | | | | | | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1012.md |
reg query “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1012.md |
reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1012.md |
reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1012.md |
reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.001.md |
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
# T1547.004 - Winlogon Helper DLL |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
<blockquote>Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
* Winlogon\Notify - points to notification package DLLs that handle Winlogon events |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
* Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
- Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
- Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
- Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Shell” “explorer.exe, #{binary_to_execute}” -Force |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
Remove-ItemProperty -Path “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name “Shell” -Force -ErrorAction Ignore |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Userinit” “Userinit.exe, #{binary_to_execute}” -Force |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
Remove-ItemProperty -Path “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name “Userinit” -Force -ErrorAction Ignore |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
New-Item “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” -Force |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” “logon” “#{binary_to_execute}” -Force |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1547.004.md |
Remove-Item “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” -Force -ErrorAction Ignore |
MIT License. © 2018 Red Canary |
| signature-base |
apt_codoso.yar |
$s3 = “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify” fullword ascii /* Goodware String - occured 10 times */ |
CC BY-NC 4.0 |
| signature-base |
apt_codoso.yar |
$s10 = “winlogon” fullword ascii /* Goodware String - occured 4 times */ |
CC BY-NC 4.0 |
| signature-base |
apt_keyboys.yar |
$x4 = “reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d 4 /f” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_poisonivy.yar |
$s3 = “winlogon.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘5’ / / Goodware String - occured 13 times */ |
CC BY-NC 4.0 |
| signature-base |
apt_sofacy_cannon.yar |
$s3 = “Windows NT\CurrentVersion\Winlogon"” fullword wide |
CC BY-NC 4.0 |
| signature-base |
apt_volatile_cedar.yar |
$s9 = “WinAutologon From Winlogon Reg” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s0 = “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\%s” fullword ascii /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base |
generic_anomalies.yar |
description = “Detects uncommon file size of winlogon.exe” |
CC BY-NC 4.0 |
| signature-base |
generic_anomalies.yar |
and filename == “winlogon.exe” |
CC BY-NC 4.0 |
| signature-base |
thor-hacktools.yar |
$s2 = “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file winlogon.exe” |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
filename == “winlogon.exe” |
CC BY-NC 4.0 |