LoFP / it is possible legitimate applications will request access to winlogon, filter as needed.

Techniques

• T1134
• T1134.001

Sample rules

Windows Access Token Manipulation Winlogon Duplicate Token Handle

• source: splunk
• technicques:
  • T1134.001
  • T1134

Description

The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information.

Detection logic

`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") GrantedAccess = 0x1040 
| stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`

Windows Access Token Winlogon Duplicate Handle In Uncommon Path

• source: splunk
• technicques:
  • T1134.001
  • T1134

Description

The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights and excluding common system paths. This activity is significant because it may indicate an adversary trying to escalate privileges by leveraging the high-privilege tokens associated with winlogon.exe. If confirmed malicious, this could allow the attacker to gain elevated access, potentially leading to full system compromise and persistent control over the affected host.

Detection logic

`sysmon` EventCode=10  TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace 
| rename Computer as dest
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`