Boot or Logon Autostart Execution: Winlogon Helper DLL

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.[1]

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: [1]

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events
  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

ID: T1547.004
Sub-technique of:  T1547
Platforms: Windows
Permissions Required: Administrator, SYSTEM
Contributors: Praetorian
Version: 1.1
Created: 24 January 2020
Last Modified: 14 August 2023

Procedure Examples

ID Name Description
S0534 Bazar

Bazar can use Winlogon Helper DLL to establish persistence.[2]

S0351 Cannon

Cannon adds the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence.[3]

S1066 DarkTortilla

DarkTortilla has established persistence via the Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.[4]

S0200 Dipsind

A Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.[5]

S0168 Gazer

Gazer can establish persistence by setting the value "Shell" with "explorer.exe, %malware_pathfile%" under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[6]

S0387 KeyBoy

KeyBoy issues the command reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to achieve persistence.[7] [8]

S0375 Remexi

Remexi achieves persistence using Userinit by adding the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.[9]

S0379 Revenge RAT

Revenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot.[10]

G0081 Tropic Trooper

Tropic Trooper has created the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence.[11][12]

G0010 Turla

Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[13]

G0102 Wizard Spider

Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.[14]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Identify and block potentially malicious software that may be executed through the Winlogon helper process by using application control [15] tools like AppLocker [16] [17] that are capable of auditing and/or blocking unknown DLLs.

M1018 User Account Management

Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.

Analytic 1 - Modification of the Winlogon Registry Key

suspicious_processes = filter processes where (event_id == "1" OR event_id == "4688") AND (ProcessCommandLine LIKE '%Microsoft\Windows NT\CurrentVersion\Winlogon%' AND (ProcessCommandLine LIKE '%Userinit%' OR ProcessCommandLine LIKE '%Shell%' OR ProcessCommandLine LIKE '%Notify%')) AND (ProcessCommandLine LIKE '%reg%' OR ProcessCommandLine LIKE '%add%' OR ProcessCommandLine LIKE '%/d%' OR ProcessCommandLine LIKE '%Set-ItemProperty%' OR ProcessCommandLine LIKE '%New-ItemProperty%' ProcessCommandLine LIKE '%-value%')

DS0011 Module Module Load

New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. [18]

Analytic 1 - Modification of the Winlogon Registry Key

suspicious_processes = filter registry where event_id == "13" AND (RegistryKeyPath LIKE '%Userinit%' OR RegistryKeyPath LIKE '%Shell%' OR RegistryKeyPath LIKE '%Notify%')

References