UC0051: Windows Logon Helper Persistense

Summary

ID	UC0051
Brief Description	Boot or Logon Autostart Execution - Winlogon Helper DLL.
Author	Alex@Cyberok
Creation Date	2023/02/28
Modification Date	2023/02/28
ATT&CK Techniques	T1547.004: Winlogon Helper DLL
Tags	Persistence Windows
Linked Response Playbooks	Persistense using Windows Logon Helper
Artifacts	Host File Windows Registry

Description

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.

Registry entries in

HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

are used to manage additional helper programs and functionalities that support Winlogon.

Attack mapping

ARTIFACT	OBJECT	DESCRIPTION
Attack Prerequisites
Host	Compromised host	A host to which an attacker has privileged access
File	File with malicious code	Code execution to gain persistense
Side Observables
Windows Registry	Userinit subkey	Registry subkeys have been known to be possibly vulnerable to abuse

Attack results

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

RESOURCE	DESCRIPTION
Attack Prerequisites
Privileged Access	Compromised host with privileged access
Result Consequences
Remote Code Execution	Attacker gets an ability to execute commands on the remote host
Persistense	Attacker can use reverse shell as a payload to establish access to the host

Attack progress

1) Commonly abused Winlogon registry keys and value for persistence are:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

HKCU can also be replaced with HKLM for a system wide persistence, if you have admin privileges.

2) Let's run through the techqnique abusing the userinit subkey. Let's see what's currently held at the userinit:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit

Let's now add an additional item shell.cmd (a simple reverse netcat shell) to the list that we want to be launched when the compromised machine reboots:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit /d C:\Windows\system32\userinit.exe,C:\tools\shell.cmd /t reg_sz /f

Possible usage

Reverse shell

1) Rebooting the compromised system executes the c:\tools\shell.cmd, which in turn establishes a reverse shell to the attacking system:

Attack diagram

References

Windows Logon Helper