Comment on page
Query the Registry for Winlogon Helper Dll's
AID2112302152.YAML
#####aid_begin
#description: fetch the information on winlogon helper dll from winlogon
#id: aid2112302152
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
# windows 7
# windows 8.*
# windows 10
# windows 11
# windows server 2008 r2
# windows server 2012
# windows server 2012 r2
# windows server 2016
# windows server 2019
#compatibleengine: |-
# powershell 2
# powershell 3
# powershell 4
# powershell 5.*
# powershell 7.*
#bgcommandlist: |-
# get-bgregistry
#notes: |-
# adversaries may abuse features of winlogon to execute dlls and/or executables when a user logs in. winlogon.exe is a windows component responsible for actions at logon/logoff as well as the secure attention sequence (sas) triggered by ctrl-alt-delete. malicious modifications to these registry keys may cause winlogon to load and execute malicious dlls and/or executables. specifically,
# o winlogon\notify - points to notification package dlls that handle winlogon events
# o winlogon\userinit - points to userinit.exe, the user initialization program executed when a user logs on
# o winlogon\shell - points to explorer.exe, the system shell executed when a user logs on
# adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Shell'
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Userinit'
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'AppSetup'
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Taskman'
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'VmApplet'
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Notify'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Shell'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Userinit'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'AppSetup'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Taskman'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'VmApplet'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Notify'
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Shell'
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Userinit'
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Notify'