HUNTS- Winlogon Helper DLL (T1004)

HUNTS- Winlogon Helper DLL (T1004)

Version 1.0

ATT&CK Technique: Winlogon Helper DLL (T1004)

What this playbook hunts for:

• Abnormal DLL loads and processes spawned by Winlogon.exe. An attacker can abuse Winlogon.exe to maintain persistence in an environment by modifying any of several Registry keys that instruct Winlogon.exe to execute DLLs and executables of their choice.
  
  

How the playbook works:

• Generates SIEM query for Sysmon Event ID 13 logs where one of the Registry entries for Winlogon.exe has been modified.

• Generates SIEM query for Sysmon Event ID 1 logs where Winlogon.exe was used to execute a process that resides outside of a standard Windows directory.

What results are expected:

• Name, process ID, and path of process executed by Winlogon.exe

• Execution time

• MD5 hash of the executed process

• Hostname of the computer where the .xsl file was executed

• User account which launched the process executing the .xsl file

• Winlogon registry entry that has been modified

Common follow-on actions:

• Quarantine host

What inputs are necessary:

• SIEM

• Logs: Sysmon Event ID 1: Process creation

• Logs: Sysmon Event ID 13: Registry modification

• Hunt start time

What subroutine playbooks are needed:

• Create and Link Alerts from Hunt (Host-based)

• Create User from Alert (Host)

• Link Asset to Alert (POST-CREATE)

• Create Indicators from MITRE Alert (Process and Hash)

• Deduplicate Comments (Hunt)

What configurations are needed:

• Sysmon logging enabled to include logging Event IDs 1 and 13
  
  

False Positive Potential: Medium

• The Registry keys related to Winlogon.exe may be altered during legitimate business practices, such as patching and new software installations, which will cause Sysmon Event ID 13s to be generated and alerted upon with this hunt playbook. Focus on changes that occur outside of normal patching cycles and consider whitelisting changes (in the “Details” field, which maps to the Registry key value) that are known to be authorized.

• Winlogon.exe executing DLLs or other executables that do not reside within C:\Windows\System32\ or C:\Windows\SysWOW64\ is fairly uncommon, so any alerts from this SIEM query should be investigated and well understood by analysts.