While winlogon.exe is a core Windows component, it is also one of the top malware names. The legitimate winlogon.exe has the following metadata:
Image Path: %SystemRoot%\System32\winlogon.exe
Parent Process: Created by an instance of smss.exe that exits, so analysis
tools usually do not provide the parent process name.
Number of Instances: One or more
User Account: Local System
Start Time: Within seconds of boot time for the first instance (for Session 1). Start times for additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons.
Winlogon.exe is also often involved in a logon bypass technique called Sticky Keys. In this attack a Windows accessibility feature is exploited by a simple registry modification. When this key is modified a user can press shift 5 times at a logon screen and have it execute the program of their choice, typically cmd.exe. This accessibility feature is meant to bring up a window to help a user get logged in. When exploited it instead brings up a command prompt with administrative access.
In this scenario, one would see winlogon.exe launching an unusual child, such as cmd.exe. This behavior is easy to pick out with the proper tooling, as Winlogon.exe should never launch a shell like cmd.exe.