CAPEC-579: Replace Winlogon Helper DLL
Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.
Last updated
Overview
CAPEC-579 (Replace Winlogon Helper DLL) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How to mitigate it
Defenses that reduce the risk of CAPEC-579.
- Changes to registry entries in "HKLM\Software\Microsoft\Windows NT\Winlogon\Notify" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.
Terminology & mappings
Mapped taxonomies
- ATTACK: Boot or Logon Autostart Execution: Winlogon helper DLL (1547.004)
Frequently asked questions
Common questions about CAPEC-579.
- What is CAPEC-579?
- Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.
- How do you prevent CAPEC-579?
- Changes to registry entries in "HKLM\Software\Microsoft\Windows NT\Winlogon\Notify" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.
- What weaknesses does CAPEC-579 target?
- CAPEC-579 exploits 1 CWE weakness, including CWE-15 (External Control of System or Configuration Setting).
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-579
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.