T1547.004 Google Chronicle · YARA-L

Detect Winlogon Helper DLL in Google Chronicle

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the Winlogon\Notify, Winlogon\Userinit, and Winlogon\Shell subkeys are known targets for abuse by threat actors including Turla, Wizard Spider, and LockBit.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.004 Winlogon Helper DLL
Canonical reference
https://attack.mitre.org/techniques/T1547/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule winlogon_helper_dll_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects modifications to Winlogon registry keys (Shell, Userinit, Notify, VmApplet, AppSetup, Taskman) that may indicate Winlogon Helper DLL persistence (T1547.004). Adversary groups including Turla, Wizard Spider, and LockBit abuse these keys."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1547.004"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1547/004/"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    $e.target.registry.registry_key = /(?i)\\Windows NT\\CurrentVersion\\Winlogon/
    $e.target.registry.registry_value_name = /(?i)^(Shell|Userinit|Notify|VmApplet|AppSetup|Taskman)$/
    not (
      $e.target.registry.registry_value_name = "Shell" and
      $e.target.registry.registry_value_data = "explorer.exe"
    )
    not (
      $e.target.registry.registry_value_name = "Userinit" and
      $e.target.registry.registry_value_data = /(?i)C:\\Windows\\system32\\userinit\.exe,/
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting modifications to known Winlogon persistence subkeys. Uses UDM registry event fields to match key path, value name, and filters out legitimate default data. Covers both HKLM and HKCU hive paths. Fires on any non-default write to Shell, Userinit, Notify, VmApplet, AppSetup, or Taskman under the Winlogon key.

Data Sources

Windows Registry Events via Chronicle ForwarderSysmon Event ID 12/13/14 ingested to Chronicle UDM

Required Tables

UDM registry events (metadata.event_type = REGISTRY_MODIFICATION)

False Positives & Tuning

  • Vendor software performing in-place OS upgrades that temporarily set a custom Shell value during the upgrade phase
  • Enterprise single sign-on (SSO) tools that register a Winlogon Notify DLL for credential interception on corporate workstations
  • Kiosk mode deployments that intentionally set a custom Shell value (e.g., a restricted browser launcher) as an approved configuration
Download portable Sigma rule (.yml)

Other platforms for T1547.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Modify Winlogon Shell to Append Malicious Binary

    Expected signal: Sysmon Event ID 13: RegistryValueSet on HKCU\...\Winlogon\Shell with value containing 'explorer.exe, C:\Windows\System32\calc.exe'.

  2. Test 2Modify Winlogon Userinit to Chain Malicious Binary

    Expected signal: Sysmon Event ID 13: RegistryValueSet on HKLM\...\Winlogon\Userinit showing the appended executable path.

  3. Test 3Create Winlogon Notify Key

    Expected signal: Sysmon Event ID 12: Key created for the Notify subkey. Sysmon Event ID 13: Value set for DllName.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1547.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.005Security Support ProviderT1547.006Kernel Modules and ExtensionsT1547.007Re-opened ApplicationsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.012Print ProcessorsT1547.013XDG Autostart EntriesT1547.014Active SetupT1547.015Login Items

Related Techniques

T1547Boot or Logon Autostart ExecutionT1547.001Registry Run Keys / Startup FolderT1547.005Security Support ProviderT1574Hijack Execution FlowT1112Modify Registry

Same Tactic: Persistence

Popular Detections