AN1133: Analytic 1133
Monitor Windows Registry modifications to Winlogon keys (Shell, Userinit, Notify) that introduce new executable or DLL paths. Correlate these changes with subsequent DLL loading, image loads, or process creation originating from winlogon.exe or userinit.exe. Abnormal child process lineage or unauthorized binaries in C:\Windows\System32 may indicate abuse.
Analyst context for executives and security teams
This analytic matters because changes to Windows Winlogon registry keys can alter what runs during user logon, creating a persistence and execution risk around a highly trusted operating system pathway. For leaders, the practical question is whether the organization can prove it sees unauthorized changes to these keys and can connect those changes to later process or DLL activity from winlogon.exe or userinit.exe.
Executive priority
Prioritize this as a Windows endpoint visibility and incident readiness check. It supports resilience by validating whether SOC and IR teams can detect suspicious logon-related registry changes before they become long-lived unauthorized execution. It is also useful audit evidence for endpoint monitoring, change control, and privileged activity oversight, especially where unauthorized binaries in C:\Windows\System32 would be high risk.
Technical view
On Windows systems, validate monitoring for registry modifications to Winlogon keys including Shell, Userinit, and Notify when new executable or DLL paths are introduced. Correlate those registry changes with later DLL loading, image loads, or process creation from winlogon.exe or userinit.exe. Investigate abnormal child process lineage and binaries placed in C:\Windows\System32 that are not expected or authorized.
Likely telemetry
- Windows Registry modification events for Winlogon-related keys
- Process creation events including parent-child lineage for winlogon.exe and userinit.exe
- Image load and DLL load telemetry
- File path and binary metadata for executables or DLLs referenced by modified registry values
- Endpoint timestamps that allow correlation between registry change and later execution activity
Detection direction
- Confirm registry auditing or EDR telemetry captures changes to Shell, Userinit, and Notify values, including the new path written.
- Tune correlation around sequence: registry modification followed by image load, DLL load, or child process activity from winlogon.exe or userinit.exe.
- Baseline legitimate Winlogon configuration and approved software behavior to reduce false positives from authorized administrative or installation activity.
- Review alerts involving unauthorized or unexpected binaries in C:\Windows\System32 with higher priority.
- Check for blind spots where registry events are collected but process lineage or DLL/image load telemetry is missing, because the analytic depends on correlation.
Mitigation priorities
- Establish and document approved baseline values for relevant Winlogon registry keys.
- Restrict and monitor administrative access capable of modifying these keys.
- Use endpoint controls and change-management processes to prevent or quickly identify unauthorized writes to sensitive Windows registry locations.
- Maintain file integrity and allowlist expectations for binaries in C:\Windows\System32 where feasible.
- Ensure incident response playbooks include validation of Winlogon registry values, referenced binaries, and related winlogon.exe or userinit.exe execution history.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Windows and provides a monitoring concept but no separate official detection logic, tactics, mitigations, or relationships. The strongest use is as a coverage validation item: can the environment observe the registry change and correlate it with later execution behavior?
No relationship context, tactic mapping, active exploitation evidence, attribution, or platform beyond Windows was supplied. Local baselines are required to distinguish authorized configuration changes from suspicious activity.
Analytic 1133
Monitor Windows Registry modifications to Winlogon keys (Shell, Userinit, Notify) that introduce new executable or DLL paths. Correlate these changes with subsequent DLL loading, image loads, or process creation originating from winlogon.exe or userinit.exe. Abnormal child process lineage or unauthorized binaries in C:\Windows\System32 may indicate abuse.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 37f87cc8900c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1133Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.