Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Techniques
  3. Enterprise
  4. Boot or Logon Autostart Execution
  5. Winlogon Helper DLL

Boot or Logon Autostart Execution: Winlogon Helper DLL

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries inHKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ andHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.[1]

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse:[1]

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events
  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

ID: T1547.004
Sub-technique of: T1547
Platforms: Windows
Contributors: Praetorian
Version: 1.3
Created: 24 January 2020
Last Modified: 24 October 2025

Procedure Examples

IDNameDescription
S0534 Bazar

Bazar can use Winlogon Helper DLL to establish persistence.[2]

S0351 Cannon

Cannon adds the Registry keyHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence.[3]

S1066 DarkTortilla

DarkTortilla has established persistence via theSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.[4]

S0200 Dipsind

ADipsind variant registers as a Winlogon Event Notify DLL to establish persistence.[5]

S0168 Gazer

Gazer can establish persistence by setting the value "Shell" with "explorer.exe, %malware_pathfile%" under the Registry keyHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[6]

S0387 KeyBoy

KeyBoy issues the commandreg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to achieve persistence.[7][8]

S1202 LockBit 3.0

LockBit 3.0 can enable automatic logon through theSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon Registry key.[9]

S1242 Qilin

Qilin can configure a Winlogon registry entry.[10]

S0375 Remexi

Remexi achieves persistence using Userinit by adding the Registry keyHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.[11]

S0379 Revenge RAT

Revenge RAT creates a Registry key atHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot.[12]

G0081 Tropic Trooper

Tropic Trooper has created the Registry keyHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence.[13][14]

G0010 Turla

Turla established persistence by adding a Shell value under the Registry keyHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[15]

G0102 Wizard Spider

Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.[16]

Mitigations

IDMitigationDescription
M1038 Execution Prevention

Identify and block potentially malicious software that may be executed through the Winlogon helper process by using application control[17] tools like AppLocker[18][19] that are capable of auditing and/or blocking unknown DLLs.

M1018 User Account Management

Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.

Detection Strategy

IDNameAnalytic IDAnalytic Description
DET0404Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on WindowsAN1133

Monitor Windows Registry modifications to Winlogon keys (Shell, Userinit, Notify) that introduce new executable or DLL paths. Correlate these changes with subsequent DLL loading, image loads, or process creation originating from winlogon.exe or userinit.exe. Abnormal child process lineage or unauthorized binaries in C:\Windows\System32 may indicate abuse.

References

  1. Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved November 17, 2024.
  2. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  3. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  4. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  5. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  6. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  7. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  8. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  9. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  10. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025.
  1. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  2. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  3. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  4. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  5. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  6. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  7. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  8. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  9. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
×
[8]ページ先頭
©2009-2026 Movatter.jp