CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify

Submission Date: 2021/11/28

Update Date:

Information Domain: Host

Data Subtypes: Process, Registry

Analytic Type: TTP

Applicable Platforms: Windows

Contributors: Lucas Heiligenstein

Detection of modification of the registry key values of Notify, Userinit, and Shell located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\. When a user logs on, the Registry key values of Notify, Userinit and Shell are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload.

ATT&CK Detections

Technique	Subtechnique(s)	Tactic(s)	Level of Coverage
Boot or Logon Autostart Execution	Winlogon Helper DLL	Persistence, Privilege Escalation	Medium
Modify Registry	N/A	Defense Evasion	Medium

D3FEND Techniques

ID	Name
D3-PSA	Process Spawn Analysis

Data Model References

Object	Action	Field
process	create	command_line
registry	add	key

Implementations

Userinit/Shell/Notify Registry Modifications (Pseudocode, CAR native)

This detects logon registry key modification, either via a new process (command line) or direct registry manipulation.

processes = search Process:create
logon_reg_processes = filter processes where command_line CONTAINS("*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*") AND (command_line CONTAINS("*Userinit*") OR command_line CONTAINS("*Shell*") OR command_line CONTAINS("*Notify*")) AND (((command_line CONTAINS("*reg*") OR command_line CONTAINS("*add*") OR command_line CONTAINS("*/d*")) OR (command_line CONTAINS("*Set-ItemProperty*") OR command_line CONTAINS("*New-ItemProperty*") OR command_line CONTAINS("*-value*"))))
reg_keys = search Registry:value_edit
logon_reg_keys = filter reg_keys where (value="Userinit" OR value="Shell" OR value="Notify")
output logon_reg_processes, logon_reg_keys

Splunk Search - Modification of Userinit, Shell or Notify (Splunk)

This is a Splunk representation of the above pseudocode.

(((((EventCode="4688" OR EventCode="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR ((CommandLine="*Set-ItemProperty*" OR CommandLine="*New-ItemProperty*") CommandLine="*-value*")) CommandLine="*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" (CommandLine="*Userinit*" OR CommandLine="*Shell*" OR CommandLine="*Notify*")) OR ((EventCode="4657") (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify"))) OR ((EventCode="13") (TargetObject="*Userinit" OR TargetObject="*Shell" OR TargetObject="*Notify"))))

Elastic Search - Modification of Userinit, Shell or Notify (Elastic)

This is an ElasticSearch representation of the above pseudocode.

(((EventCode:("4688" OR "1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:(*Set\-ItemProperty* OR *New\-ItemProperty*) AND process.command_line:*\-value*)) AND process.command_line:*\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon* AND process.command_line:(*Userinit* OR *Shell* OR *Notify*)) OR (EventCode:"4657" AND winlog.event_data.ObjectValueName:("Userinit" OR "Shell" OR "Notify"))) OR (EventCode:"13" AND winlog.event_data.TargetObject:(*Userinit OR *Shell OR *Notify)))

LogPoint Search - Modification of Userinit, Shell or Notify (Logpoint)

This is a LogPoint representation of the above pseudocode.

(((EventCode IN ["4688", "1"] ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine IN ["*Set-ItemProperty*", "*New-ItemProperty*"] CommandLine="*-value*")) CommandLine="*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" CommandLine IN ["*Userinit*", "*Shell*", "*Notify*"]) OR (EventCode IN "4657" ObjectValueName IN ["Userinit", "Shell", "Notify"])) OR (EventCode IN "13" TargetObject IN ["*Userinit", "*Shell", "*Notify"]))

Unit Tests

Test Case 1

Modification on Registry Key with cmd. Calc.exe will be launched when user will login

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d C:\Windows\system32\userinit.exe,C:\Windows\system32\calc.exe

Test Case 2

Modification on Registry Key with Powershell. Calc.exe will be launched when user will login

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Userinit -Value C:\Windows\system32\userinit.exe,C:\Windows\system32\calc.exe