Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1037.001 | Logon Script (Windows) |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | mitigates | T1037.001 | Logon Script (Windows) | |
| CM-07 | Least Functionality | mitigates | T1037.001 | Logon Script (Windows) |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Modify configuration | Modified configuration or services | related-to | T1037.001 | Logon Script (Windows) |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1037.001 | Logon Script (Windows) |
Comments
This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.
References
|