Winlogon Helper DLL

Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.

Sigma rule (View on GitHub)

 1title: Winlogon Helper DLL
 2id: 851c506b-6b7c-4ce2-8802-c703009d03c0
 3status: test
 4description: |
 5    Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
 6    Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are
 7    used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to
 8    load and execute malicious DLLs and/or executables.    
 9references:
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md
11author: Timur Zinniatullin, oscd.community
12date: 2019/10/21
13modified: 2022/07/07
14tags:
15    - attack.persistence
16    - attack.t1547.004
17logsource:
18    product: windows
19    category: ps_script
20    definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22    selection:
23        ScriptBlockText|contains: 'CurrentVersion\Winlogon'
24    selection2:
25        ScriptBlockText|contains:
26            - 'Set-ItemProperty'
27            - 'New-Item'
28    condition: all of selection*
29falsepositives:
30    - Unknown
31level: medium

References

Related rules

to-top