CAPEC-579: Replace Winlogon Helper DLL

Detailed Draft

CAPEC版本: 3.9

更新日期: 2023-01-24

攻击模式描述

Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.

缓解措施

Changes to registry entries in "HKLM\Software\Microsoft\Windows NT\Winlogon\Notify" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.

分类映射

分类名称	条目ID	条目名称
ATTACK	1547.004	Boot or Logon Autostart Execution: Winlogon helper DLL

关键信息

CAPEC ID: CAPEC-579

抽象级别: Detailed

状态: Draft

CAPEC-579: Replace Winlogon Helper DLL

攻击模式描述

缓解措施

分类映射

关键信息

相关攻击模式

相关CWE弱点

CAPEC-579: Replace Winlogon Helper DLL

攻击模式描述

缓解措施

分类映射

关键信息

相关攻击模式

ChildOf CAPEC-542

相关CWE弱点