Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-2 | Account Management | Protects | T1547.004 | Winlogon Helper DLL |
AC-3 | Access Enforcement | Protects | T1547.004 | Winlogon Helper DLL |
AC-5 | Separation of Duties | Protects | T1547.004 | Winlogon Helper DLL |
AC-6 | Least Privilege | Protects | T1547.004 | Winlogon Helper DLL |
CM-5 | Access Restrictions for Change | Protects | T1547.004 | Winlogon Helper DLL |
CM-7 | Least Functionality | Protects | T1547.004 | Winlogon Helper DLL |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1547.004 | Winlogon Helper DLL |
SI-10 | Information Input Validation | Protects | T1547.004 | Winlogon Helper DLL |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1547.004 | Winlogon Helper DLL |
file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1547.004 | Winlogon Helper DLL |