Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
- title: Winlogon Helper DLL
id: 851c506b-6b7c-4ce2-8802-c703009d03c0
status: experimental
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff
as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry
entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\
and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage
additional helper programs and functionalities that support Winlogon. Malicious
modifications to these Registry keys may cause Winlogon to load and execute malicious
DLLs and/or executables.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
logsource:
product: windows
service: powershell
description: Script block logging must be enabled
category: null
detection:
selection:
EventID: 4104
keyword1:
- '*Set-ItemProperty*'
- '*New-Item*'
keyword2:
- '*CurrentVersion\Winlogon*'
condition: selection and ( keyword1 and keyword2 )
falsepositives:
- Unknown
level: medium
tags:
- attack.persistence
- attack.t1004
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='(event_id:"4104" AND \*.keyword:(*Set\-ItemProperty* OR *New\-Item*) AND "*CurrentVersion\\Winlogon*")')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()