T1547.004: Winlogon Helper DLL
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.[1]
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: [1]
* Winlogon\Notify - points to notification package DLLs that handle Winlogon events * Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
Analyst context for executives and security teams
Winlogon Helper DLL abuse matters because it turns the Windows logon process into a persistence point. If an attacker can modify the relevant Winlogon Registry values, malicious DLLs or executables may run whenever a user logs in, supporting continued access and possible privilege escalation.
Executive priority
Treat this as a Windows endpoint resilience and identity-administration control issue. Leaders should ask whether privileged account use, Registry change monitoring, and execution prevention controls can prove that Winlogon autorun locations are governed, baselined, and investigated when changed. It is especially relevant to incident response because persistence tied to logon can survive reboots and re-authentication events.
Technical view
This is a Windows sub-technique under Boot or Logon Autostart Execution with persistence and privilege-escalation tactics. SOC and IR teams should validate visibility into changes under HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\, especially Notify, Userinit, and Shell values. Because ATT&CK provides no official detection text for this object, use the related DET0404 detection strategy as directional context: registry and process artifacts on Windows should be correlated around user logon activity.
Likely telemetry
- Windows Registry modification events for Winlogon paths and values
- Process creation and parent/child process artifacts around user logon
- DLL/module load evidence associated with Winlogon-related execution where available
- Endpoint inventory or autorun enumeration output for Winlogon helper locations
- Account and privilege context for the user or process that modified the Registry
Detection direction
- Baseline expected Winlogon Notify, Userinit, and Shell values and alert on unauthorized changes.
- Correlate Registry modifications with subsequent logon-time process execution or DLL loading.
- Tune out approved administrative or software-management changes, but require evidence of authorization for deviations from baseline.
- Prioritize investigation when changes are made by unexpected accounts, from unusual processes, or shortly before repeated execution at logon.
- Review coverage against related ATT&CK procedure context: Turla, Tropic Trooper, Wizard Spider, and multiple Windows malware families are mapped by ATT&CK as using this technique, but local detection should be behavior-based rather than attribution-led.
Mitigation priorities
- Apply User Account Management controls: limit who can modify sensitive Winlogon Registry locations and enforce least privilege for user and administrator accounts.
- Use Execution Prevention controls so only authorized code can run from approved locations.
- Maintain an approved baseline of Winlogon autorun values and validate it during endpoint hardening, incident response, and compliance evidence collection.
- Include these Registry locations in change-control and endpoint configuration review processes.
Analyst notes and limits
The most defensible Glexia position is to treat this as a high-value persistence validation point on Windows endpoints. It is not enough to collect generic endpoint logs; teams need evidence that sensitive Winlogon Registry locations are monitored, baselined, and tied to process execution at logon.
The ATT&CK object does not provide official detection logic. The assessment is limited to the supplied ATT&CK description, external references, and relationships. Local Windows versions, endpoint logging configuration, administrative tooling, and authorized shell/userinit customizations must be reviewed before deciding severity or detection confidence.
Winlogon Helper DLL
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.[1]
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: [1]
* Winlogon\Notify - points to notification package DLLs that handle Winlogon events * Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547 | Boot or Logon Autostart Execution | This object subtechnique of Boot or Logon Autostart Execution. |
| Enterprise | T1004 | Winlogon Helper DLL | Winlogon Helper DLL revoked by this object. |
Groups, software, and campaigns
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
G0081: Tropic Trooper
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2][3]
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
S0168: Gazer
S1242: Qilin
Qilin is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware. Qilin affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.[1][2][3][4][5]
S1066: DarkTortilla
DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[1]
S0200: Dipsind
S0534: Bazar
Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[1]
S0375: Remexi
S0379: Revenge RAT
Revenge RAT is a freely available remote access tool written in .NET (C#).[1][2]
S1202: LockBit 3.0
LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter and BlackCat ransomware. LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such as LockBit 2.0.[1][2][3][4]
S0387: KeyBoy
S0351: Cannon
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 775352a75825… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Reg Persistence Sept 2013
Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved November 17, 2024.
Open source URL -
[2]
TechNet Autoruns
Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
Open source URL -
[3]
mitre-attack T1547.004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.