1. Home
  2. Techniques
  3. Enterprise
  4. Boot or Logon Autostart Execution
  5. Winlogon Helper DLL

Boot or Logon Autostart Execution: Winlogon Helper DLL

ID Name
T1547.001 Registry Run Keys / Startup Folder
T1547.002 Authentication Package
T1547.003 Time Providers
T1547.004 Winlogon Helper DLL
T1547.005 Security Support Provider
T1547.006 Kernel Modules and Extensions
T1547.007 Re-opened Applications
T1547.008 LSASS Driver
T1547.009 Shortcut Modification
T1547.010 Port Monitors
T1547.012 Print Processors
T1547.013 XDG Autostart Entries
T1547.014 Active Setup
T1547.015 Login Items

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.[1]

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: [1]

  • Winlogon\Notify - points to notification package DLLs that handle Winlogon events
  • Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
  • Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

ID: T1547.004
Sub-technique of:  T1547
Platforms: Windows
Contributors: Praetorian
Version: 1.3
Created: 24 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0534 Bazar

Bazar can use Winlogon Helper DLL to establish persistence.[2]
S0351 Cannon

Cannon adds the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence.[3]
S1066 DarkTortilla

DarkTortilla has established persistence via the Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.[4]
S0200 Dipsind

A Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.[5]
S0168 Gazer

Gazer can establish persistence by setting the value "Shell" with "explorer.exe, %malware_pathfile%" under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[6]
S0387 KeyBoy

KeyBoy issues the command reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to achieve persistence.[7] [8]
S1202 LockBit 3.0

LockBit 3.0 can enable automatic logon through the SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon Registry key.[9]
S1242 Qilin

Qilin can configure a Winlogon registry entry.[10]
S0375 Remexi

Remexi achieves persistence using Userinit by adding the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.[11]
S0379 Revenge RAT

Revenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot.[12]
G0081 Tropic Trooper

Tropic Trooper has created the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence.[13][14]
G0010 Turla

Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[15]
G0102 Wizard Spider

Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.[16]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Identify and block potentially malicious software that may be executed through the Winlogon helper process by using application control [17] tools like AppLocker [18] [19] that are capable of auditing and/or blocking unknown DLLs.
M1018 User Account Management

Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0404 Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows AN1133

Monitor Windows Registry modifications to Winlogon keys (Shell, Userinit, Notify) that introduce new executable or DLL paths. Correlate these changes with subsequent DLL loading, image loads, or process creation originating from winlogon.exe or userinit.exe. Abnormal child process lineage or unauthorized binaries in C:\Windows\System32 may indicate abuse.

References

  1. Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved November 17, 2024.
  2. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  3. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  4. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  5. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  6. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  7. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  8. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  9. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  10. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025.
  1. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  2. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  3. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  4. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  5. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  6. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  7. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  8. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  9. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.