Detect Winlogon Helper DLL in IBM QRadar
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the Winlogon\Notify, Winlogon\Userinit, and Winlogon\Shell subkeys are known targets for abuse by threat actors including Turla, Wizard Spider, and LockBit.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.004 Winlogon Helper DLL
- Canonical reference
- https://attack.mitre.org/techniques/T1547/004/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
LOGSOURCENAME(logsourceid) AS "Log Source",
"sourceip" AS "Host IP",
"HostName" AS "Hostname",
"TargetObject" AS "Registry Key Path",
"Details" AS "Value Data",
"Image" AS "Initiating Process",
username AS "User"
FROM events
WHERE LOGSOURCETYPEID(devicetype) = 'Microsoft Windows'
AND QIDNAME(qid) ILIKE '%Sysmon%'
AND (eventid = '13' OR "EventID" = '13')
AND ("TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\Shell'
OR "TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\Userinit'
OR "TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\Notify'
OR "TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet'
OR "TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup'
OR "TargetObject" ILIKE '%\\Windows NT\\CurrentVersion\\Winlogon\\Taskman')
AND "Details" NOT ILIKE 'explorer.exe'
AND "Details" NOT ILIKE 'C:\\Windows\\system32\\userinit.exe,'
AND devicetime > DATEADD('hour', -24, NOW())
ORDER BY devicetime DESCQueries QRadar for Sysmon Event ID 13 (RegistryValueSet) targeting Winlogon subkeys. Filters out the known-good default values for Shell and Userinit to reduce false positives. Non-default values in these keys indicate potential persistence via Winlogon Helper DLL (T1547.004).
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers that temporarily modify Winlogon Shell or Userinit during setup and restore originals on reboot
- Enterprise desktop management tools that write approved wrapper scripts to Userinit during domain join or image deployment
- Security software vendors (e.g., CyberArk, Thycotic) that hook Winlogon Notify for privileged session monitoring
Other platforms for T1547.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Modify Winlogon Shell to Append Malicious Binary
Expected signal: Sysmon Event ID 13: RegistryValueSet on HKCU\...\Winlogon\Shell with value containing 'explorer.exe, C:\Windows\System32\calc.exe'.
- Test 2Modify Winlogon Userinit to Chain Malicious Binary
Expected signal: Sysmon Event ID 13: RegistryValueSet on HKLM\...\Winlogon\Userinit showing the appended executable path.
- Test 3Create Winlogon Notify Key
Expected signal: Sysmon Event ID 12: Key created for the Notify subkey. Sysmon Event ID 13: Value set for DllName.
References (4)
- https://attack.mitre.org/techniques/T1547/004/
- https://web.archive.org/web/20160214140250/http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
- https://technet.microsoft.com/en-us/sysinternals/bb963902
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
Unlock Pro Content
Get the full detection package for T1547.004 including response playbook, investigation guide, and atomic red team tests.