Description
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
Winlogon\Notify - points to notification package DLLs that handle Winlogon events Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
Platforms
Mitigations (2)
Execution PreventionM1038
Identify and block potentially malicious software that may be executed through the Winlogon helper process by using application control (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.
User Account ManagementM1018
Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\W... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has created the Registry key <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) established persistence by adding a Shell value under the Registry key <code>HKCU\Software\Microsoft\Wi... |
Associated Software (10)
| ID | Name | Type | Context |
|---|---|---|---|
| S0168 | Gazer | Malware | [Gazer](https://attack.mitre.org/software/S0168) can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under ... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can configure a Winlogon registry entry.(Citation: Trend Micro Agenda Ransomware AUG 2022) |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) has established persistence via the `Software\Microsoft\Windows NT\CurrentVersion\Winlogon` r... |
| S0200 | Dipsind | Malware | A [Dipsind](https://attack.mitre.org/software/S0200) variant registers as a Winlogon Event Notify DLL to establish persistence.(Citation: Microsoft PL... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can use Winlogon Helper DLL to establish persistence.(Citation: Zscaler Bazar September 2020) |
| S0375 | Remexi | Malware | [Remexi](https://attack.mitre.org/software/S0375) achieves persistence using Userinit by adding the Registry key <code>HKLM\Software\Microsoft\Windows... |
| S0379 | Revenge RAT | Malware | [Revenge RAT](https://attack.mitre.org/software/S0379) creates a Registry key at <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shel... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can enable automatic logon through the `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon` ... |
| S0387 | KeyBoy | Malware | [KeyBoy](https://attack.mitre.org/software/S0387) issues the command <code>reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”</code>... |
| S0351 | Cannon | Malware | [Cannon](https://attack.mitre.org/software/S0351) adds the Registry key <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</code> to est... |
References
- Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved November 17, 2024.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
Frequently Asked Questions
What is T1547.004 (Winlogon Helper DLL)?
T1547.004 is a MITRE ATT&CK technique named 'Winlogon Helper DLL'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure att...
How can T1547.004 be detected?
Detection of T1547.004 (Winlogon Helper DLL) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547.004?
There are 2 documented mitigations for T1547.004. Key mitigations include: Execution Prevention, User Account Management.
Which threat groups use T1547.004?
Known threat groups using T1547.004 include: Wizard Spider, Tropic Trooper, Turla.