Winlogon Notify Key Logon Persistence
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Sigma rule (View on GitHub)
1title: Winlogon Notify Key Logon Persistence
2id: bbf59793-6efb-4fa1-95ca-a7d288e52c88
3status: test
4description: |
5 Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
6 Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
9author: frack113
10date: 2021-12-30
11modified: 2023-08-17
12tags:
13 - attack.privilege-escalation
14 - attack.persistence
15 - attack.t1547.004
16logsource:
17 category: registry_set
18 product: windows
19detection:
20 selection:
21 TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon'
22 Details|endswith: '.dll'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- MITRE BZAR Indicators for Persistence
- Winlogon Helper DLL
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain