RP2008: Persistense using Windows Logon Helper
Summary
| ID | RP2008 |
|---|---|
| Brief Description | Response playbook for detected persistence using Windows Logon Helper. |
| Author | Alex@Cyberok |
| Creation Date | 2023/02/03 |
| Modification Date | 2023/02/03 |
| Tags |
|
| Usecases |
Description
Registry entries in HKLM\Software{\Wow6432Node}Microsoft\Windows NT\CurrentVersion\Winlogon and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon are used to manage additional helper programs and functionalities that support Winlogon.
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: - Winlogon\Notify - points to notification package DLLs that handle Winlogon events - Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on - Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Workflow
For better triage and response actions result you need to identify and analyze artifacts from use case.
- Identify changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary’s attempt to persist in a stealthy manner.
-
Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
- examine content
- analyse malware file
-
Take any containment action depending on the situation and level of asset's criticality.
For example, block potentially malicious software that may be executed through the Winlogon helper process by using application control tools like AppLocker that are capable of auditing and/or blocking unknown DLLs:- block internal ip address
- quarantine file by hash
-
Take any eradication action depending on the situation and level of asset's criticality.
For example, tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values:- remove file
- remove registry key
-
Take recovery action depending on previous containment and eradication actions:
- recover modification
- unblock quarantined host
-
Report incident, remove security breaches, conduct lessons learned exercises.
Response discovery mapping
| ARTIFACT | RESPONSE ACTION | RESPONSE ACTION OBSERVABLES |
|---|---|---|
| Windows Registry | List registry keys accessed List registry keys modified Examine content Look for specific registry hives values |
Malicious file |
| File | Identify means of attack Analyse Windows PE file Look for code execution and persistence artifacts |
Code execution artifacts |
P.S. Artifacts from "Attack Prerequisites" section ( in this case : Host ) should be used in Operational Preparations and as incoming arguments for other response actions, for example
Response mindmap diagram
Playbook Actions
Preparation
Identification
List Registry Keys Accessed
List Registry Keys Modified
Identify means of attack
Identify affected systems and users
Analyse Windows Pe
Perform malware analysis via SOLDR
Examine Content
Containment
Block Internal Ip Address
Quarantine File By Hash
Eradication
Remove File
Deleting a file from Windows with Powershell
Deleting a file from Windows via SOLDR
Remove Registry Key
Remove Windows registry key with Powershell
Recovery
[Unimplemented] Recover modification
Unblock Blocked Ip
Lessons Learned
Develop Incident Report
Conduct Lessons Learned Exercise