Winlogon Helper DLL Persistence
Achieve persistence through HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Note
It is not anti-detection and requires administrator privileges.
Operation Method
- Generate a listener
- Obtain a Session with administrator privileges
- Run the module and fill in the listener configuration
- Caching the listener means that after the module runs successfully, a virtual listener will be automatically generated according to the filled listener parameters, which is convenient for restoration when the server restarts
- Module execution results
- After the target machine restarts, when any user logs in, userinit.exe will be executed and a new Session will be generated