We're updating the issue view to help you get more done. 

Winlogon Helper DLL

Description

Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events

  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on

  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.

id

T1004

tactic

persistence

datasources

Process monitoring
File monitoring
Windows Registry

maturity

Not Tracked

Assignee

Unassigned
Configure