T1547.004 Winlogon Helper DLL Mappings

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events
  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1547.004 Winlogon Helper DLL
AC-3 Access Enforcement Protects T1547.004 Winlogon Helper DLL
AC-5 Separation of Duties Protects T1547.004 Winlogon Helper DLL
AC-6 Least Privilege Protects T1547.004 Winlogon Helper DLL
CM-5 Access Restrictions for Change Protects T1547.004 Winlogon Helper DLL
CM-7 Least Functionality Protects T1547.004 Winlogon Helper DLL
IA-2 Identification and Authentication (organizational Users) Protects T1547.004 Winlogon Helper DLL
SI-10 Information Input Validation Protects T1547.004 Winlogon Helper DLL
SI-7 Software, Firmware, and Information Integrity Protects T1547.004 Winlogon Helper DLL
file_integrity_monitoring File Integrity Monitoring technique_scores T1547.004 Winlogon Helper DLL