Winlogon Helper DLL

let WinlogonValues = dynamic(["Shell", "Userinit", "Notify", "VmApplet", "AppSetup", "Taskman"]);
let DefaultShell = "explorer.exe";
let DefaultUserinit = "C:\\Windows\\system32\\userinit.exe,";
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\Windows NT\\CurrentVersion\\Winlogon"
| where RegistryValueName in~ (WinlogonValues)
| where not(RegistryValueData =~ DefaultShell and RegistryValueName =~ "Shell")
| where not(RegistryValueData =~ DefaultUserinit and RegistryValueName =~ "Userinit")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  TargetObject="*\\Windows NT\\CurrentVersion\\Winlogon\\*"
  (TargetObject="*\\Shell" OR TargetObject="*\\Userinit" OR TargetObject="*\\Notify" OR TargetObject="*\\VmApplet" OR TargetObject="*\\AppSetup" OR TargetObject="*\\Taskman")
  NOT (Details="explorer.exe" OR Details="C:\\Windows\\system32\\userinit.exe,")
| table _time, host, TargetObject, Details, Image, User
| sort - _time

registry where registry.path : ("*\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "*\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", "*\\Windows NT\\CurrentVersion\\Winlogon\\Notify", "*\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet", "*\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup", "*\\Windows NT\\CurrentVersion\\Winlogon\\Taskman") and not (
  (registry.value == "Shell" and registry.data.strings : ("explorer.exe")) or
  (registry.value == "Userinit" and registry.data.strings : ("C:\\Windows\\system32\\userinit.exe,"))
)

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
       LOGSOURCENAME(logsourceid) AS "Log Source",
       "sourceip" AS "Host IP",
       "HostName" AS "Hostname",
       "TargetObject" AS "Registry Key Path",
       "Details" AS "Value Data",
       "Image" AS "Initiating Process",
       username AS "User"
FROM events
WHERE LOGSOURCETYPEID(devicetype) = 'Microsoft Windows'
  AND QIDNAME(qid) ILIKE '%Sysmon%'
  AND (eventid = '13' OR "EventID" = '13')
  AND ("TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\Shell'
    OR "TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\Userinit'
    OR "TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\Notify'
    OR "TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet'
    OR "TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup'
    OR "TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\Taskman')
  AND "Details" NOT ILIKE 'explorer.exe'
  AND "Details" NOT ILIKE 'C:\\Windows\\system32\\userinit.exe,'
  AND devicetime > DATEADD('hour', -24, NOW())
ORDER BY devicetime DESC

_sourceCategory=*windows* (EventCode=13 OR EventID=13)
| where TargetObject matches "*\\Windows NT\\CurrentVersion\\Winlogon\\*"
| where TargetObject matches "*\\Shell" OR TargetObject matches "*\\Userinit" OR TargetObject matches "*\\Notify" OR TargetObject matches "*\\VmApplet" OR TargetObject matches "*\\AppSetup" OR TargetObject matches "*\\Taskman"
| where !(Details = "explorer.exe" OR Details = "C:\\Windows\\system32\\userinit.exe,")
| parse field=TargetObject "*\\" as RegistryValueName last
| parse field=Image "*\\" as ProcessName last
| table _time, host, TargetObject, RegistryValueName, Details, Image, ProcessName, User
| sort by _time desc

rule winlogon_helper_dll_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects modifications to Winlogon registry keys (Shell, Userinit, Notify, VmApplet, AppSetup, Taskman) that may indicate Winlogon Helper DLL persistence (T1547.004). Adversary groups including Turla, Wizard Spider, and LockBit abuse these keys."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1547.004"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1547/004/"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    $e.target.registry.registry_key = /(?i)\\Windows NT\\CurrentVersion\\Winlogon/
    $e.target.registry.registry_value_name = /(?i)^(Shell|Userinit|Notify|VmApplet|AppSetup|Taskman)$/
    not (
      $e.target.registry.registry_value_name = "Shell" and
      $e.target.registry.registry_value_data = "explorer.exe"
    )
    not (
      $e.target.registry.registry_value_name = "Userinit" and
      $e.target.registry.registry_value_data = /(?i)C:\\Windows\\system32\\userinit\.exe,/
    )

  condition:
    $e
}

#event_simpleName = /AsepValueUpdate|RegGenericValueUpdate/
| TargetObject = /\\Windows NT\\CurrentVersion\\Winlogon\\/
| TargetValueName = /^(Shell|Userinit|Notify|VmApplet|AppSetup|Taskman)$/
| !(TargetValueName = "Shell" AND TargetValueData = "explorer.exe")
| !(TargetValueName = "Userinit" AND TargetValueData = /C:\\Windows\\system32\\userinit\.exe,/i)
| ImageFileName match /\\([^\\]+)$/ as ProcessName
| groupBy([ComputerName, ProcessName, TargetObject, TargetValueName, TargetValueData, UserName], function=count(as=EventCount))
| sort(EventCount, order=desc)