ART t1004
This commit is contained in:
zinint
@@ -0,0 +1,27 @@
|
||||
title: Winlogon Helper DLL
|
||||
status: test
|
||||
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
|
||||
author: Timur Zinniatullin, oscd.community
|
||||
references:
|
||||
- https://attack.mitre.org/techniques/T1004/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
|
||||
logsource:
|
||||
product: windows
|
||||
service: powershell
|
||||
description: 'Script block logging must be enabled'
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4104
|
||||
keyword1:
|
||||
- '*Set-ItemProperty*'
|
||||
keyword2:
|
||||
- '*New-Item*'
|
||||
keyword3:
|
||||
- '*CurrentVersion\Winlogon*'
|
||||
condition: selection and (keyword1 or keyword2) and keyword3
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1004
|
||||
Reference in New Issue
Block a user