T1547.004: Winlogon Helper DLL
| View on MITRE ATT&CK | T1547.004 |
|---|---|
| Tactic(s) | Persistence, Privilege Escalation |
| Associated CAPEC Patterns | Replace Winlogon Helper DLL (CAPEC-579) |
Data from MITRE ATT&CK®:
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
- Winlogon\Notify - points to notification package DLLs that handle Winlogon events
- Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
- Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
CharmingCypress: Innovating Persistence
This report by Volexity outlines campaigns conducted by the actor they call CharmingCypress (aka Charming Kitten). The report describes targeting ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.