- Home
- Techniques
- Enterprise
- Boot or Logon Initialization Scripts
- Logon Script (Windows)
Boot or Logon Initialization Scripts: Logon Script (Windows)
Other sub-techniques of Boot or Logon Initialization Scripts (5)
ID | Name |
---|---|
T1037.001 | Logon Script (Windows) |
T1037.002 | Logon Script (Mac) |
T1037.003 | Network Logon Script |
T1037.004 | Rc.common |
T1037.005 | Startup Items |
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.[1] This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript
Registry key.[2]
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
Procedure Examples
Name | Description |
---|---|
APT28 |
An APT28 loader Trojan adds the Registry key |
Attor |
Attor's dispatcher can establish persistence via adding a Registry key with a logon script |
Cobalt Group |
Cobalt Group has added persistence by registering the file name for the next stage malware under |
JHUHUGIT |
JHUHUGIT has registered a Windows shell script under the Registry key |
Zebrocy |
Zebrocy performs persistence with a logon script via adding to the Registry key |
Mitigations
Mitigation | Description |
---|---|
Restrict Registry Permissions |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. |
Detection
Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript
.
Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.
References
- Microsoft. (2005, January 21). Creating logon scripts. Retrieved April 27, 2016.
- Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part 18. Retrieved November 15, 2019.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
- ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.