Detectionhightest
Winlogon Notify Key Logon Persistence
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon'
Details|endswith: '.dll'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
bbf59793-6efb-4fa1-95ca-a7d288e52c88
Status
test
Level
high
Type
Detection
Created
Thu Dec 30
Modified
Thu Aug 17
Author
Path
rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.004