Registration of Winlogon Helper DLL¶
A winlogon registry key was modified to establish persistence.
| id: | 46de6f8f-e30e-45f7-a136-7ab140c9af08 |
|---|---|
| categories: | hunt |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Persistence |
|---|---|
| techniques: | T1004 Winlogon Helper DLL |
Query¶
registry where
wildcard(registry_path,
"*\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\*",
"*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\*")