Winlogon Helper DLL
|Winlogon Helper DLL|
|Permissions Required||Administrator, SYSTEM|
|Data Sources||Windows Registry, File monitoring, Process monitoring|
Winlogon is a part of some Windows versions that performs actions at logon. In Windows systems prior to Windows Vista, a Registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup for persistence.
- Gazer can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key
Upgrade the operating system to a newer version of Windows if using a version prior to Vista.
Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.
Identify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting2 tools like AppLocker34 that are capable of auditing and/or blocking unknown DLLs.
Monitor for changes to registry entries in
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values.5 New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.
Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.