title: Winlogon Helper DLL (T1547.004)
id: df00tech-t1547-004
status: experimental
description: "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the Winlogon\\Notify, Winlogon\\Userinit, and Winlogon\\Shell subkeys are known targets for abuse by threat actors including Turla, Wizard Spider, and LockBit."
references:
  - https://attack.mitre.org/techniques/T1547/004/
  - https://df00tech.com/detections/T1547.004
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Custom shell replacements in kiosk or thin-client environments
  - Enterprise login scripts that legitimately modify Userinit to chain additional executables
  - Accessibility tools or custom logon screen providers that modify Winlogon values
level: critical