rules/windows/powershell/powershell_winlogon_helper_dll.yml

title: Winlogon Helper DLL
id: 851c506b-6b7c-4ce2-8802-c703009d03c0
status: experimental
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
logsource:
    product: windows
    service: powershell
    definition: 'Script block logging must be enabled'
detection:
    selection:
        EventID: 4104
    keyword1:
        - '*Set-ItemProperty*'
        - '*New-Item*'
    keyword2:
        - '*CurrentVersion\Winlogon*'
    condition: selection and ( keyword1 and keyword2 )
falsepositives:
    - Unknown
level: medium
tags:
    - attack.persistence
    - attack.t1547.004
    - attack.t1004  # an old one
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`title: Winlogon Helper DLL`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 851c506b-6b7c-4ce2-8802-c703009d03c0`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`status: experimental`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`author: Timur Zinniatullin, oscd.community`
			`date: 2019/10/21`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml`
			`logsource:`
			`product: windows`
			`service: powershell`
Update additional rules to have correct logsource attributes 2020-07-13 17:02:17 -04:00			`definition: 'Script block logging must be enabled'`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`detection:`
			`selection:`
			`EventID: 4104`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`keyword1:`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`- 'Set-ItemProperty'`
			`- 'New-Item'`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`keyword2:`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`- 'CurrentVersion\Winlogon'`
			`condition: selection and ( keyword1 and keyword2 )`
			`falsepositives:`
			`- Unknown`
			`level: medium`
			`tags:`
			`- attack.persistence`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1547.004`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1004 # an old one`