DetailedDraft

CAPEC-579Replace Winlogon Helper DLL

Abstraction
Detailed
Status
Draft

Description

Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup. Metadata: detailed CAPEC pattern, status draft. Underlying weakness: CWE-15. Mapped ATT&CK technique: [object Object]. Related CAPEC pattern: [object Object].

Related weaknesses· 1

CWE-15

MITRE ATT&CK crosswalk· 1

T1547.004: Boot or Logon Autostart Execution: Winlogon helper DLL

Related attack patterns· 1

CAPEC-542 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessExternal Control of System or Configuration Settingcwe-15100%live

Related to1

TypeTargetConfidenceTier
SubTechniqueWinlogon Helper DLLt1547.004100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Sub-technique
Winlogon Helper DLL
CAPEC
Modification of Registry Run Keys
CAPEC
Modification of Windows Service Configuration
CAPEC
Run Software at Logon
CAPEC
Replace Trusted Executable
CAPEC
DLL Side-Loading
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.