persist via Winlogon Helper DLL registry key

rule:
  meta:
    name: persist via Winlogon Helper DLL registry key
    namespace: persistence/registry/winlogon-helper
    authors:
      - 0x534a@mailbox.org
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Persistence::Boot or Logon Autostart Execution::Winlogon Helper DLL [T1547.004]
    examples:
      - 9ff8e68343cc29c1036650fc153e69f7:0x47f818
  features:
    - and:
      - or:
        - match: set registry value
        - number: 0x80000001 = HKEY_CURRENT_USER
        - number: 0x80000002 = HKEY_LOCAL_MACHINE
      - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon/i
      - or:
        - string: /Notify/i
        - string: /Userinit/i
        - string: /Shell/i