Winlogon Helper DLL (T1547.004)

Tactic: Persistence, Privilege Escalation

Tactics
Persistence , Privilege Escalation
Platforms
Windows
Reference
attack.mitre.org/techniques/T1547.004

Description

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon</code> and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</code> are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events
  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

How GTK Cyber trains on this

GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Persistence, Privilege Escalation tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.

View training courses →

Related techniques

Train your team on real attack techniques.

GTK Cyber's hands-on courses are taught by practitioners who detect this stuff for a living.

View Courses