abc1230940/SOC211-Utilman.exe-Winlogon-Exploit-Attempt

GitHub: abc1230940/SOC211-Utilman.exe-Winlogon-Exploit-Attempt

用于检测和响应针对Windows系统的Utilman.exe和Winlogon.exe的攻击尝试。

Stars: 0 | Forks: 0

LinkedIn Gmail Instagram Old Discord Reddit


SOC211 Utilman.exe Winlogon Exploit Attempt Walkthrough

980ce5fe-2391-4eb5-b836-cfe6666bcaab
🔎 目录
  1. 情况
  2. 警报概述
  3. 使用工具
  4. 分析
  5. 演练
  6. 分析师笔记
  7. 参考

(返回顶部)

情况

2023年6月21日,上午11:02,主机Henry触发了关于“从Winlogon启动命令”的警报。

(返回顶部)

Alert Overview

Screenshot 2026-05-29 194659

EventID : 161

Event Time : Jun, 21, 2023, 11:02 AM

Rule : SOC211 - Utilman.exe Winlogon Exploit Attempt

Level : Security Analyst

Hostname : Henry

IP Address : 172.16.17.149

Process Name : Utilman.exe

Process Hash : ded8fd7f36417f66eb6ada10e0c0d7c0022986e9

Parent Process : Winlogon.exe

Command Line : net user superman onepunch123 /add

Trigger Reason : Command Launched from Winlogon

Device Action : Allowed

(Back to Top)

使用工具

  1. VirusTotal
  2. Gemini

(返回顶部)

Analysis

Let's dig into the Endpoint Security Log for the alert triage.

Endpoint Security

Terminal History

Screenshot 2026-05-31 163248

As we can see the terminal history in the picture above, supsicious activities were discovered before and after shutdown of the machine.

  1. After shutdown
    2. 1

    Let's see the terminal history after shutdown first.

    • Apart from a suspicious user "superman" being added in the host, which triggered the alert at 11:02:12 AM (net user superman onepunch123 /add)
    • the user "superman" was added into the privileged group "administrators" at 11:03:14 AM (net localgroup administrators superman /add)
    • users in the local machine were enumerated at 11:00:00 AM and 11:00:09 Am respectively (net user, whoami) .


    Screenshot 2026-05-29 190715 Screenshot 2026-05-29 190739 Screenshot 2026-05-29 190754 Screenshot 2026-05-29 190805 Screenshot 2026-05-29 190819 Screenshot 2026-05-29 190831 Screenshot 2026-05-29 190841 Screenshot 2026-05-29 190851 Screenshot 2026-05-29 190906

    As I checked the Event logs of the Host, it showed that the commands were initiated by utilman.exe spawned by winlogon.exe and executed by NT AUTHORITY\SYSTEM , which was weird to me. Therefore, I went back to the terminal history.



  2. Before shutdown
    3. Screenshot 2026-05-31 163248
    • System32 folder was accessed at 10:06:34 AM (cd C:\Windows\System32)
    • utilman.exe was first renamed to utilman.exe.old (rename utilman.exe utilman.exe.old) at 10:07:05 AM
    • and cmd.exe was then copied as utilman.exe (copy cmd.exe utilman.exe) at 10:07:12 AM
Screenshot 2026-05-29 192208

I also checked the process hash of utilman.exe (ded8fd7f36417f66eb6ada10e0c0d7c0022986e9) on VirusTotal, the original name of utilman.exe was actually cmd.exe. Therefore, it was confirmed that the utilman.exe was hijacked as cmd.exe for execution of the malicious commands after the machine was reboot.



utilman.exe

Screenshot 2026-05-31 172947 Screenshot 2026-05-29 191649

So what actually utilman.exe is? I did a little research on google and it is a program responsible for the Ease of Access features from Windows login screen by clicking Ease of Access Icon or press Win + U. The program will run as the highest system privilege (NT AUTHORITY\SYSTEM) .



Screenshot 2026-05-31 174728

Changing utilman.exe to cmd.exe was originally not a malicious exploitation but it was an administrative tactic for password recovery. When a system administrator forgot the password to a critical local machine, they could boot into a recovery environment and making a copy of cmd.exe in terminal, reboot the computer, open the utilman.exe (cmd.exe) and reset the password of administrator in order to successfully log into the system again. The article from tekRescue also gave a tutorial about resetting password utilizing the above method.

However it was abused by the attackers to create backdoor users for persistence or privilege escalation because they were in "God" mode.

(Back to Top)

攻击链

After the system was shutdown and re-entered by the attacker to the login page and press Win + U at 10:58:30 AM, a terminal was opened as NT AUTHORITY\SYSTEM, user was enumerated and the backdoor "superman" was added and then added into "administrators" group.

Screenshot 2026-05-31 181945

Both smss.exe and Winlogon.exe are Windows core processes. smss.exe is responsible for initializing the Windows session and winlogon.exe is responsible for the user logon and logout processes. winlogon.exe is spawned by smss.exe upon system startup.

Screenshot 2026-05-31 182130

For more information about Windows Core Processes, you can also check the Windows Core Processes room from TryHackMe, which gave an excellent tutorial about this topic.

Therefore, we can conclude the attack chain of the attacker in a process tree:

smss.exe -> winlogon.exe (PID:1828)

  • -> utilman.exe (PID: 5956) -> net.exe net1 user (PID: 7716)
  • -> utilman.exe whoami (PID: 5956)
  • -> utilman.exe -> net.exe net1 user superman onepunch123 /add (PID: 6524)
  • -> utilman.exe (PID: 5956) -> net.exe net1 localgroup administrators superman /add (PID: 4532)

(Back to Top)

Playbook

Screenshot 2026-05-31 204235 Screenshot 2026-05-31 204244 Screenshot 2026-05-31 204309 Screenshot 2026-05-31 204320 Screenshot 2026-05-31 204329 Screenshot 2026-05-31 204338 Screenshot 2026-05-31 204347

Yes, suspicious

Screenshot 2026-05-31 204410

Persistence

Screenshot 2026-05-31 204556

User

Screenshot 2026-05-31 204650 Screenshot 2026-05-31 204639 Screenshot 2026-05-31 204807 Screenshot 2026-05-31 204833 Screenshot 2026-05-31 204842 Screenshot 2026-05-31 204851 Screenshot 2026-05-31 204939 Screenshot 2026-05-31 205245 Screenshot 2026-05-31 205258

(Back to Top)

分析师笔记

分类:中等

类型:LOLBin

事件时间:2023年6月21日,上午10:06:34 - 10:24:08(cmd.exe 更改为 utilman.exe)

2023年6月21日,上午11:00:00 - 11:03:14(用户枚举,创建后门用户)

受影响实体:

主机名称:Henry

IP地址:172.16.17.149

真阳性原因:

2023年6月21日,上午11:02,主机Henry上触发了“从Winlogon启动命令”的警报,命令行为 net user superman onepunch123 /add。

根据终端历史记录,系统中的用户枚举(whoami、net user)在2023-06-21 11:00:00和2023-06-21 11:00:09被检测到。随后,可疑用户“superman”在2023-06-21 11:03:14被添加到“administrators”特权组,命令行为“net localgroup administrators superman /add”,表明有可疑未知用户被添加到系统中。根据事件日志,命令是由winlogon.exe启动的utilman.exe发起的,并以NT AUTHORITY\SYSTEM身份执行,这不是创建本地用户的正常进程。

utilman.exe是Windows内置程序,负责通过点击登录屏幕的“轻松访问”图标或按Win + U来从Windows登录屏幕启动轻松访问功能。程序将以最高系统权限(NT AUTHORITY\SYSTEM)运行。管理员也可以使用它来重置忘记密码的情况。

在创建用户之前,utilman.exe首先在2023-06-21 10:07:05被重命名为utilman.exe.old,然后在2023-06-21 10:07:12将cmd.exe复制为System32文件夹中的utilman.exe,命令行为copy cmd.exe utilman.exe。根据VirusTotal,进程哈希ded8fd7f36417f66eb6ada10e0c0d7c0022986e9的原始名称为cmd.exe,表明utilman.exe最初被劫持为cmd.exe,以创建具有最高权限的系统用户的后门用户,并且这是一系列利用LOLBin的持久化和提权恶意活动。

提权原因:

由于没有证据表明在创建后门用户“superman”之后有任何活动,utilman.exe被劫持,攻击者可以以NT AUTHORITY\SYSTEM身份运行任何命令。需要进一步调查以检查在创建后门用户“superman”之后主机上是否有任何可疑活动。

补救措施:

  • 将主机Henry从内部企业网络断开连接。
  • 禁用并删除后门账户“superman”
  • 删除伪造的utilman.exe(复制的cmd.exe)并恢复原始文件,将utilman.exe.old重命名为utilman.exe
  • 重置Henry的用户密码并采用更强的密码策略(最小长度为10个字符,大小写字母、数字和特殊字符)
  • 启用多因素认证或安全密钥
  • 查看事件ID为4624的日志,以检查在创建后门用户之前登录主机的原始IP地址
  • 监控系统,以检查在接下来的24小时内是否有任何可疑活动,如C2连接、横向移动、数据泄露
  • 检查主机Henry上的本地管理员组成员资格,以确保只有授权的IT人员才有对系统目录的本地管理员写入权限
  • 补丁和更新操作系统

入侵指标:

  • 恶意进程:utilman.exe(哈希:ded8fd7f36417f66eb6ada10e0c0d7c0022986e9)
  • 后门用户:superman
  • 命令行:
    • cd C:\Windows\System32
    • rename utilman.exe utilman.old
    • copy cmd.exe utilman.exe
    • shutdown /h /t 0
    • net user
    • whoami
    • net user superman onepunch123 /add
    • net localgroup administrators superman /add

(返回顶部)

参考

如何重置几乎所有Windows计算机的密码(针对Windows 11更新)

Windows核心进程

在VirusTotal上检查utilman.exe

(返回顶部)