Title

Winlogon Registry Key Persistence

Tactics:

Persistence
T1547: Boot or Logon Autostart Execution
T1547.001: Registry Run Keys / Startup Folder

Source

https://www.hackingarticles.in/windows-persistence-using-winlogon/

Description

Find Winlogon with outbound connections #MDE

Kusto:

DeviceRegistryEvents  
| where ActionType in~ ("RegistryValueSet","RegistryValueCreated")  
| where ( RegistryKey has @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" or RegistryKey has @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ) and RegistryValueName in~ ("shell","userinit")
// review the key and associated key value to understand if malicious activity has taken place e.g. C:\Windows\system32\userinit.exe, C:\Windows\System32\evil.exe

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

mde_persistence_registry_winlogon_t1547.md

mde_persistence_registry_winlogon_t1547.md

Title

Tactics:

Source

Description

Files

mde_persistence_registry_winlogon_t1547.md

Latest commit

History

mde_persistence_registry_winlogon_t1547.md

File metadata and controls

Title

Tactics:

Source

Description