Skip to content

Hide Navigation Hide TOC

Winlogon Notify Key Logon Persistence (bbf59793-6efb-4fa1-95ca-a7d288e52c88)

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.

Cluster A Galaxy A Cluster B Galaxy B Level
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern Winlogon Notify Key Logon Persistence (bbf59793-6efb-4fa1-95ca-a7d288e52c88) Sigma-Rules 1
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2