Winlogon Helper DLL

 1title: Winlogon Helper DLL
 2id: 851c506b-6b7c-4ce2-8802-c703009d03c0
 3status: test
 4description: |
 5    Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
 6    Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are
 7    used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to
 8    load and execute malicious DLLs and/or executables.    
 9references:
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md
11author: Timur Zinniatullin, oscd.community
12date: 2019-10-21
13modified: 2022-07-07
14tags:
15    - attack.privilege-escalation
16    - attack.persistence
17    - attack.t1547.004
18logsource:
19    product: windows
20    category: ps_script
21    definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23    selection:
24        ScriptBlockText|contains: 'CurrentVersion\Winlogon'
25    selection2:
26        ScriptBlockText|contains:
27            - 'Set-ItemProperty'
28            - 'New-Item'
29    condition: all of selection*
30falsepositives:
31    - Unknown
32level: medium