#####aid_begin
#description: fetch the information on winlogon helper dll from winlogon
#id: aid2112302152
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  get-bgregistry
#notes: |-
#  adversaries may abuse features of winlogon to execute dlls and/or executables when a user logs in. winlogon.exe is a windows component responsible for actions at logon/logoff as well as the secure attention sequence (sas) triggered by ctrl-alt-delete. malicious modifications to these registry keys may cause winlogon to load and execute malicious dlls and/or executables. specifically, 
#     o  winlogon\notify - points to notification package dlls that handle winlogon events
#     o  winlogon\userinit - points to userinit.exe, the user initialization program executed when a user logs on
#     o  winlogon\shell - points to explorer.exe, the system shell executed when a user logs on
#  adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Shell'
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Userinit'
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'AppSetup'
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Taskman'
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'VmApplet'
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Notify'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Shell'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Userinit'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'AppSetup'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Taskman'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'VmApplet'
- Get-BGRegistry -StartKey "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Notify'
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Shell'
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Userinit'
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -MatchValue -MatchData -Pattern 'Notify'