Monitor Windows Registry modifications to Winlogon keys (Shell, Userinit, Notify) that introduce new executable or DLL paths. Correlate these changes with subsequent DLL loading, image loads, or process creation originating from winlogon.exe or userinit.exe. Abnormal child process lineage or unauthorized binaries in C:\Windows\System32 may indicate abuse.
| Data Component | Name | Channel |
|---|---|---|
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | modification to Winlogon registry keys such as Shell, Notify, or Userinit |
| Windows Registry Key Access (DC0050) | Autoruns:RegistryScan | Enumerate Winlogon subkeys for unknown or unsigned binaries |
| Field | Description |
|---|---|
| TimeWindow | Time correlation between registry modification and malicious module load or process creation |
| UserContext | Privilege level or user context under which registry changes or process executions occur |
| BinarySignatureValidation | Whether to validate binary signatures when DLLs are loaded via Winlogon helper paths |
| ExecutablePathScope | Scope of directories considered suspicious for helper DLLs (e.g., temp paths, non-System32 locations) |