EXPLORE
Sign In
← Back to Explore
T1547.004

Winlogon Helper DLL

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionali...

Windows
4
Detections
2
Sources
3
Threat Actors

BY SOURCE

3sigma1elastic

PROCEDURES (4)

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Registry1 detections

Auto-extracted: 1 detections for registry

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

THREAT ACTORS (3)

Tropic TrooperTurlaWizard Spider

DETECTIONS (4)

MITRE BZAR Indicators for Persistence
sigmamedium
Persistence via WMI Standard Registry Provider
elastichigh
Winlogon Helper DLL
sigmamedium
Winlogon Notify Key Logon Persistence
sigmahigh