LoFP LoFP / it is possible legitimate applications will request access to winlogon, filter as needed.

Techniques

Sample rules

Windows Access Token Manipulation Winlogon Duplicate Token Handle

Description

The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens.

Detection logic

`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") GrantedAccess = 0x1040 
| stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`

Windows Access Token Winlogon Duplicate Handle In Uncommon Path

Description

The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens.

Detection logic

`sysmon` EventCode=10  TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace 
| rename Computer as dest
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`