Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1547.004 | Winlogon Helper DLL |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1547.004 | Winlogon Helper DLL |
Comments
This diagnostic statement protects against Winlogon Helper DLL through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-05 | Access Restrictions for Change | mitigates | T1547.004 | Winlogon Helper DLL | |
| AC-17 | Remote Access | mitigates | T1547.004 | Winlogon Helper DLL | |
| SI-14 | Non-persistence | mitigates | T1547.004 | Winlogon Helper DLL | |
| SI-16 | Memory Protection | mitigates | T1547.004 | Winlogon Helper DLL | |
| SI-10 | Information Input Validation | mitigates | T1547.004 | Winlogon Helper DLL | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1547.004 | Winlogon Helper DLL | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1547.004 | Winlogon Helper DLL | |
| CM-07 | Least Functionality | mitigates | T1547.004 | Winlogon Helper DLL | |
| SI-04 | System Monitoring | mitigates | T1547.004 | Winlogon Helper DLL | |
| AC-02 | Account Management | mitigates | T1547.004 | Winlogon Helper DLL | |
| AC-03 | Access Enforcement | mitigates | T1547.004 | Winlogon Helper DLL | |
| AC-05 | Separation of Duties | mitigates | T1547.004 | Winlogon Helper DLL | |
| AC-06 | Least Privilege | mitigates | T1547.004 | Winlogon Helper DLL |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1547.004 | Winlogon Helper DLL | |
| action.hacking.vector.Command shell | Remote shell | related-to | T1547.004 | Winlogon Helper DLL | |
| attribute.integrity.variety.Modify configuration | Modified configuration or services | related-to | T1547.004 | Winlogon Helper DLL |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1547.004 | Winlogon Helper DLL |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|