T1547.004 Winlogon Helper DLL is a technique in the MITRE ATT&CK framework under the Persistence tactic. It refers to Winlogon Helper DLLs, which extend the functionality of the Windows Logon process by executing code during user sessions.
These DLLs are loaded by Winlogon, the component responsible for managing user logins, security, and the user interface. Winlogon Helper DLLs play an integral role in system operations, allowing additional functionality to be added to the logon process. Because of their critical role in managing user authentication and system security, these DLLs are loaded with elevated privileges, making them a central part of the logon and session management process.
To read about other sub-techniques of the T1547 Boot Logon or Auto Start Execution technique, you can visit the related hub blog.
Adversaries can exploit the Winlogon Helper DLL mechanism by targeting specific registry entries that control how Windows executes programs during system login events.
Winlogon.exe is a core component responsible for managing user logins, logoffs, and initiating secure attention sequences (SAS) such as Ctrl-Alt-Delete. The following registry keys are crucial in controlling Winlogon's behavior:
|
HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\
|
These keys control the loading of programs essential for user initialization and system startup. Modifying the values within them allows attackers to inject malicious DLLs or executables into the login process.
Key subkeys that may be targeted include:
By exploiting these registry keys, attackers gain the ability to run malicious code every time the system starts, providing persistent access and maintaining control over the system's login process.
A relevant example comes from the April 2025 analysis of the ToyBraker campaign [1], where attackers created unauthorized user accounts on compromised endpoints. This facilitated the deployment of ransomware, as seen with the following commands executed by the adversaries:
|
net user whiteninja <password> /add
|
These actions not only created a new user account but also enabled automatic login with that account, further helping the attackers maintain control over the compromised machine. By modifying critical Winlogon keys, adversaries can effectively bypass security measures and ensure that their malicious programs run every time a user logs in.
Observed in May 2024, the KamiKakaBot malware was observed employing the Winlogon Helper DLL technique to establish persistence on compromised systems [2]. According to security researchers, KamiKakaBot modifies specific registry entries to load malicious DLLs during user logon, ensuring its code executes with elevated privileges each time the user logs in.
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = explorer.exe, explorer.exe /e,/root,%Pyps% -nop -w h "Start-Process -N -F $env:Msbd -A $env:Temprd" |
|
SHA256*: 580506d869ce6652dcf0f77354959f8258c0f7fbdc95bd686a1377fa758a4e2b |
This command modifies the Shell value in the Windows Registry under the path HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. By default, the Shell value is set to explorer.exe, which launches the standard Windows desktop environment upon user login. However, the modified value introduces a second instance of explorer.exe alongside malicious parameters.
The command includes /e,/root,%Pyps%, which directs Windows Explorer to open a specific root directory, likely one containing hidden or malicious files specified by the %Pyps% environment variable. It also executes a PowerShell command using the Start-Process function, leveraging additional environment variables like $env:Msbd and $env:Temprd. These variables likely reference malicious payloads or scripts. The use of parameters such as -nop (no profile) and -w h (hidden window) ensures the PowerShell process runs stealthily, avoiding detection by users.
This modification enables the attacker to execute arbitrary commands or payloads during the login process, effectively maintaining persistence while masking malicious activity behind a legitimate-looking desktop environment.
Additionally, another sandbox analysis report has identified malware samples that attempt to modify the Winlogon Helper DLL registry key to achieve persistence. For instance, a sample analyzed in May 2024 (Mandela.exe) [3], exhibited behavior consistent with this technique, indicating that adversaries continue to leverage this method to maintain access to compromised systems.
|
SHA256*: c6818da28a36a7ed628e5a86ede3a642b609b34b2f61ae4dba9a4814d6822d2f |
[1] J. Chen, “Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs,” Cisco Talos Blog, Apr. 23, 2025. Available: https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/. [Accessed: Dec. 16, 2025]
[2] F. Roth, F. Ploss, B. Deibel, M. Hirtz, and P. Hager, “Unveiling KamiKakaBot - Malware Analysis - Nextron Systems,” Mar. 22, 2024. Available: https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/. [Accessed: Dec. 09, 2024]
[3] “Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for ‘Mandela.exe.’” Available: https://www.hybrid-analysis.com/sample/c6818da28a36a7ed628e5a86ede3a642b609b34b2f61ae4dba9a4814d6822d2f/663e52537f9f4475f20d101b. [Accessed: Dec. 09, 2024]