CAPEC-579 Metadata
Likelihood of Attack
Medium
Typical Severity
Medium
Overview
Summary
Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.
Prerequisites
No prerequisites listed.
Potential Solutions / Mitigations
Changes to registry entries in "HKLM\Software\Microsoft\Windows NT\Winlogon\Notify" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.
Related Weaknesses (CWE)
| CWE ID | Description |
|---|---|
| CWE-15 | External Control of System or Configuration Setting |
Related CAPECs
| CAPEC ID | Description |
|---|---|
| CAPEC-542 | An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts. |
Taxonomy Mappings
Taxonomy: ATTACK
| Entry ID | Entry Name |
|---|---|
| 1547.004 | Boot or Logon Autostart Execution: Winlogon helper DLL |
Stay Ahead of Attack Patterns
Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.