TIARAS - T1547.004: Winlogon Helper DLL

MITRE ATT&CK Technique

Persistence T1547.004

Description

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013) Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013) * Winlogon\Notify - points to notification package DLLs that handle Winlogon events * Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

Supported Platforms

Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2020-01-24T16:59:59.688Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may abuse features of Winlogon to execute DLLs '
                'and/or executables when a user logs in. Winlogon.exe is a '
                'Windows component responsible for actions at logon/logoff as '
                'well as the secure attention sequence (SAS) triggered by '
                'Ctrl-Alt-Delete. Registry entries in '
                '<code>HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows '
                'NT\\CurrentVersion\\Winlogon\\</code> and '
                '<code>HKCU\\Software\\Microsoft\\Windows '
                'NT\\CurrentVersion\\Winlogon\\</code> are used to manage '
                'additional helper programs and functionalities that support '
                'Winlogon.(Citation: Cylance Reg Persistence Sept 2013) \n'
                '\n'
                'Malicious modifications to these Registry keys may cause '
                'Winlogon to load and execute malicious DLLs and/or '
                'executables. Specifically, the following subkeys have been '
                'known to be possibly vulnerable to abuse: (Citation: Cylance '
                'Reg Persistence Sept 2013)\n'
                '\n'
                '* Winlogon\\Notify - points to notification package DLLs that '
                'handle Winlogon events\n'
                '* Winlogon\\Userinit - points to userinit.exe, the user '
                'initialization program executed when a user logs on\n'
                '* Winlogon\\Shell - points to explorer.exe, the system shell '
                'executed when a user logs on\n'
                '\n'
                'Adversaries may take advantage of these features to '
                'repeatedly execute malicious code and establish persistence.',
 'external_references': [{'external_id': 'T1547.004',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1547/004'},
                         {'description': 'Langendorf, S. (2013, September 24). '
                                         'Windows Registry Persistence, Part '
                                         '2: The Run Keys and Search-Order. '
                                         'Retrieved November 17, 2024.',
                          'source_name': 'Cylance Reg Persistence Sept 2013',
                          'url': 'https://web.archive.org/web/20160214140250/http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order'},
                         {'description': 'Russinovich, M. (2016, January 4). '
                                         'Autoruns for Windows v13.51. '
                                         'Retrieved June 6, 2016.',
                          'source_name': 'TechNet Autoruns',
                          'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'}],
 'id': 'attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'}],
 'modified': '2025-10-24T17:48:53.539Z',
 'name': 'Winlogon Helper DLL',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Praetorian'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.3'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (3)

Wizard Spider
High

Turla
High

Tropic Trooper
High

Back to TTPs

Dashboard About