Attack technique
MITRE ATT&CK
- Tactic: Privilege Escalation
- Technique: Process Injection: Portable Executable Injection
Technique description
Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.
Winlogon.exe is a critical Windows process responsible for managing user logon and logoff processes. Under normal circumstances, Winlogon.exe should not be connecting to public IP addresses. Rarely seen, in some organizations, specific login workflows may include a legitimate outgoing connection to known IPs and domains owned by trusted vendors using winlogon.exe.
In most cases, a winlogon.exe process that initiates an outgoing network connection to external IPs and domains may indicate that the process was utilized by a threat actor.
Insights from threat intelligence
Threat intelligence indicates that malicious winlogon.exe outgoing network connections can signal a potential compromise or malware activity within a Windows environment. Winlogon.exe is a critical system process responsible for user authentication and session management, making it an attractive target for attackers seeking persistence or privilege escalation. Outbound connections initiated by winlogon.exe, especially to unfamiliar or suspicious destinations, could indicate command-and-control (C2) communication, data exfiltration, or lateral movement attempts by malware.
Team Axon encountered campaigns where winlogon.exe was used as a proxy for malicious C2 network connections, initiated by Cobalt strike beacons that were in use by the ransomware group BlackBasta. Using winlogon.exe, the threat actors managed to download malicious payloads and exfiltrate sensitive data stealthily.
References
- Guidance for investigating attacks using CVE-2022-21894 | Microsoft
- Malicious ISO File Leads to Domain Wide Ransomware | The DFIR Report
Threat hunting theses breakdown
Relevant data sources: EDR Raw Logs
Thesis explanation
Using telemetries from EDR logs, the thesis is based on correlating network connection logs and the process creation event of the winlogon.exe process.
As the thesis only applies to Windows, we will start by filtering the operating system which the EDR telemetries originate from. Then, we will look for any outgoing network connection by filtering the destination IP to match an external IP address.
Also, we will narrow the outgoing connection by filtering only network connections that were initiated by a process named ‘winlogon.exe’ and its image path is in the System32/SysWOW64 folders. By that, we will make sure to include only native winlogon.exe binary execution.
Blind spots
None
Recommended investigation flow
Investigate the destination address:
Domain
- Is it in Umbrella 1M?
- Is it a baby domain (registered recently)?
- Which registrar registered it?
- Does it have a valid certificate?
- Does the whois information reveal the organization that owns the domain?
- When was it first accessed by the organization?
- How frequently is it accessed by the organization?
IP
- Which ASN does it belong to?
- Is it hosting?
- Is it a proxy IP?
- When was it first accessed by the organization?
- How frequently is it accessed by the organization?
Hunting Queries
The gist contains a threat-hunting query that allows finding suspicious winlogon.exe outgoing network connections:
GitHub