Winlogon Helper DLL (T1547.004)

Description

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon</code> and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</code> are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)


Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)

Winlogon\Notify - points to notification package DLLs that handle Winlogon events
Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

How GTK Cyber trains on this

GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Persistence, Privilege Escalation tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.

Description

How GTK Cyber trains on this

Related techniques

Train your team to detect attacks like this.