Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.
Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1037.003 | Network Logon Script | |
| CA-7 | Continuous Monitoring | Protects | T1037.003 | Network Logon Script | |
| CM-2 | Baseline Configuration | Protects | T1037.003 | Network Logon Script | |
| CM-6 | Configuration Settings | Protects | T1037.003 | Network Logon Script | |
| SI-3 | Malicious Code Protection | Protects | T1037.003 | Network Logon Script | |
| SI-4 | System Monitoring | Protects | T1037.003 | Network Logon Script | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1037.003 | Network Logon Script |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1037.003 | Network Logon Script |
Comments
This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.
References
|