|T1547.001||Registry Run Keys / Startup Folder|
|T1547.004||Winlogon Helper DLL|
|T1547.005||Security Support Provider|
|T1547.006||Kernel Modules and Extensions|
|T1547.013||XDG Autostart Entries|
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as
well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities
that support Winlogon.
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: 
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
Bazar can use Winlogon Helper DLL to establish persistence.
Cannon adds the Registry key
A Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.
Gazer can establish persistence by setting the value "Shell" with "explorer.exe, %malware_pathfile%" under the Registry key
KeyBoy issues the command
Remexi achieves persistence using Userinit by adding the Registry key
Tropic Trooper has created the Registry key
Turla established persistence by adding a Shell value under the Registry key
Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Identify and block potentially malicious software that may be executed through the Winlogon helper process by using application control  tools like AppLocker   that are capable of auditing and/or blocking unknown DLLs.
|M1018||User Account Management||
Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
|DS0024||Windows Registry||Windows Registry Key Modification||
Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values.