Correct T1547.004 Winlogon Notification test (#2470)

* Corrected T1547.004 Winlogon Notification test

* Added hint on deprecation

---------

Co-authored-by: Hare Sudhan <code@0x6c.dev>

atomics/T1547.004/T1547.004.md

@@ -106,7 +106,9 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
 ## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
 PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
 
-Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
+Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
+
+Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
 
 **Supported Platforms:** Windows
 
@@ -121,19 +123,23 @@ Upon successful execution, PowerShell will modify a registry value to execute at
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | binary_to_execute | Path of notification package to execute | path | C:\Windows\Temp\atomicNotificationPackage.dll|
+| function_to_execute | Function in notification package to execute | string | AtomicTestFunction|
 
 
 #### Attack Commands: Run with `powershell`! 
 
 
 ```powershell
-New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
-Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
+New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
 ```
 
 #### Cleanup Commands:
 ```powershell
-Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
+Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force -ErrorAction Ignore
 ```
 
 

atomics/T1547.004/T1547.004.yaml

@@ -47,18 +47,27 @@ atomic_tests:
   description: |
     PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
 
-    Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
+    Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
+
+    Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
   supported_platforms:
   - windows
   input_arguments:
     binary_to_execute:
       description: Path of notification package to execute
       type: path
       default: C:\Windows\Temp\atomicNotificationPackage.dll
+    function_to_execute:
+      description: Function in notification package to execute
+      type: string
+      default: AtomicTestFunction
   executor:
     command: |
-      New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
-      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
+      New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
     cleanup_command: |
       Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
     name: powershell