rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml

title: Winlogon Helper DLL
id: 851c506b-6b7c-4ce2-8802-c703009d03c0
status: experimental
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2021/10/16
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
detection:
    selection:
        ScriptBlockText|contains: 'CurrentVersion\Winlogon'
    selection2:
        ScriptBlockText|contains:
            - 'Set-ItemProperty'
            - 'New-Item'
    condition: selection and selection2
falsepositives:
    - Unknown
level: medium
tags:
    - attack.persistence
    - attack.t1547.004
    - attack.t1004  # an old one
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`title: Winlogon Helper DLL`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 851c506b-6b7c-4ce2-8802-c703009d03c0`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`status: experimental`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`author: Timur Zinniatullin, oscd.community`
			`date: 2019/10/21`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`modified: 2021/10/16`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`references:`
Updated ART reference links from .yaml to .md and sub-technique links. 2021-07-06 17:21:22 +08:00			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`logsource:`
			`product: windows`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`category: ps_script`
$frack113$ Update PS rules 2021-08-21 09:50:59 +02:00			`definition: Script block logging must be enabled`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`detection:`
			`selection:`
Update powershell_winlogon_helper_dll.yml 2020-12-01 02:23:02 +01:00			`ScriptBlockText\|contains: 'CurrentVersion\Winlogon'`
			`selection2:`
			`ScriptBlockText\|contains:`
			`- 'Set-ItemProperty'`
			`- 'New-Item'`
			`condition: selection and selection2`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`falsepositives:`
			`- Unknown`
			`level: medium`
			`tags:`
			`- attack.persistence`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1547.004`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1004 # an old one`