This note documents detection patterns related to Winlogon Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 13 | Registry value set | Critical | Detects modification of Winlogon registry values. |
| Sysmon | 12 | Registry object create/delete | High | Key creation around Winlogon path. |
| Security | 4657 | Registry value modified | High | Native registry auditing if enabled. |
| Sysmon | 1 | Process creation | Critical | Payload triggered by Winlogon at login. |
| Security | 4688 | Process creation | Critical | Parent-child execution after logon. |
| Security | 4624 | Successful logon | High | Trigger timing anchor. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
Shell modified | Explorer replaced | Critical | Core persistence primitive. |
Userinit modified | Extra payload appended | Critical | Very common abuse path. |
| Unexpected child from winlogon.exe | cmd / powershell / payload | Critical | High-confidence signal. |
| Alternate executable in Winlogon path | Temp/AppData target | Critical | Strong malicious clue. |
| Multiple Winlogon values changed | Broad persistence setup | High | Operator persistence pattern. |
| Logon immediately triggers payload | Tight correlation | High | Confirms persistence |
Common Tools
| Tool | Usage |
|---|---|
| reg.exe | Modify Winlogon keys |
| PowerShell | Set-ItemProperty |
| regedit.exe | Manual persistence |
| malware loaders | Registry persistence |
Relevant Artifacts
- Sysmon Event IDs 12, 13, 1
- Security Event IDs 4657, 4688, 4624
- Registry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Key values:
ShellUserinitNotify
- Prefetch:
REG.EXE- payload executable
- Amcache / ShimCache
- EDR registry timeline
MITRE ATT&CK References
- T1547.004 Winlogon Helper DLL
- T1112 Modify Registry
Decision Tree
-
Which value modified?
- Shell
- Userinit
- Notify
-
Payload path?
- System32
- Temp
- AppData
-
Trigger observed?
- Interactive logon
- RDP
- Unlock
-
Parent-child chain?
- winlogon.exe
- explorer.exe
-
Expand:
- Adjacent persistence
- Registry changes
- User scope
-
Scope:
- Single host
- Multi-host persistence
- Campaign pattern
Example Detection Templates
KQL
Sysmon
| where EventID == 13
| where TargetObject has "Winlogon"
| project TimeGenerated, Computer, TargetObject, Details
SecurityEvent
| where EventID == 4688
| where ParentProcessName endswith "winlogon.exe"
| project TimeGenerated, Computer, NewProcessName, CommandLine
EQL
registry where registry.path like "*\\Winlogon*"
sequence by host.name with maxspan=10m
[ registry where registry.path like "*\\Winlogon*" ]
[ process where process.parent.name == "winlogon.exe" ]
Sigma
title: Winlogon Abuse Detection
id: 8b2d4a16-winlogon-abuse
status: experimental
description: Detects suspicious Winlogon registry persistence
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
keywords:
TargetObject|contains: 'Winlogon'
condition: selection and keywords
fields:
- TargetObject
- Details
falsepositives:
- Legitimate shell customization
level: high
tags:
- attack.persistence
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Registry monitoring | Alert on Winlogon writes | Critical | Core persistence signal |
| Baseline Winlogon values | Low false positives | Critical | Easy validation |
| Logon correlation | Watch post-login payloads | High | Confirms trigger |
| Restrict registry writes | Reduce abuse surface | High | Prevent persistence |
| Central telemetry | Preserve registry history | High | Strong forensic value |