Winlogon Helper DLL - veramine/Detections GitHub Wiki
Winlogon is a part of some Windows versions that performs actions at logon. A Registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup for persistence. You can learn more about this tactic at https://attack.mitre.org/wiki/Technique/T1004.
Veramine's detection engine flags several Winlogon-related persistence registry writes, including Winlogon Helper DLL additions and modifications. Here are two winlogon-related persistence detection examples:
