Winlogon Helper DLL

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software{\Wow6432Node\}Microsoft\Windows NT\CurrentVersion\Winlogon and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon are used to manage additional helper programs and functionalities that support Winlogon.

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse:

· Winlogon\Notify - points to notification package DLLs that handle Winlogon events

· Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on

· Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

Example:

As mentioned this component handles what is going on during logon and logoff times so this payload needs to be dropped onto the System23 folder, in this way we can load the legitimate binary and our payload and the same time.

The registry key that we will focus in this situation is the UserInit. We will need Administrator privileges for this technique to work properly.

Machine generated alternative text: Administrator: Command Prompt Microsoft windows [Version 18.8.19842.638] (c) 2828 microsoft Corporation. All rights reserved . C: \Windows\system32>reg add NT\CurrentVersion\Win10gon" 'v Userinit 'd "Userinit .exe, payloadx64.exe" If

We can also apply the same technique to the Shell Registry and we can also reach the same goal when a user logs in we will receive a shell.

From here we can simply lock the screen of the target workstation and wait for the user to log back onto the machine.

Logoff:

Sign-in:

Shel:

We have 2 registry keys that we can modify and reach our goal of persistence but we also have a 3rd one Notify Key:

The “Notify” registry key is typically found in older operating systems (prior to Windows 7) and it points to a notification package DLL file which handles Winlogon events. Replacing DLL entries under this registry key with an arbitrary DLL will cause Windows to execute it during logon.

As we can see both of our methods will work correctly and will execute on logon we just have to remember that these binary's need to be dropped on the System32 folder so that both the legitimate and the payload gets executed.

References:

https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/