Skip to content

Winlogon Helper DLL

Jump to bottom
Veramine edited this page Jul 7, 2017 · 4 revisions

Winlogon is a part of some Windows versions that performs actions at logon. A Registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup for persistence. You can learn more about this tactic at https://attack.mitre.org/wiki/Technique/T1004.

Veramine's detection engine flags several Winlogon-related persistence registry writes, including Winlogon Helper DLL additions and modifications. Here are two winlogon-related persistence detection examples:

Clone this wiki locally