1. Home
  2. ATT&CK Techniques
  3. T1037.003 Network Logon Script

T1037.003 Network Logon Script Mappings

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.

Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1037.003 Network Logon Script
CM-06 Configuration Settings mitigates T1037.003 Network Logon Script
SI-03 Malicious Code Protection mitigates T1037.003 Network Logon Script
SI-07 Software, Firmware, and Information Integrity mitigates T1037.003 Network Logon Script
CM-02 Baseline Configuration mitigates T1037.003 Network Logon Script
SI-04 System Monitoring mitigates T1037.003 Network Logon Script
AC-03 Access Enforcement mitigates T1037.003 Network Logon Script

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.003 Network Logon Script

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1037.003 Network Logon Script
Comments
Google Security Ops triggers an alert based on suspicious connections (e.g., Netlogon connections). https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/system/vulnerable_netlogon_secure_channel_connection_allowed.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/logon_scripts__userinitmprlogonscript.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']