T1037.001 Logon Script (Windows) Mappings

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1037.001 Logon Script (Windows)
CM-7 Least Functionality Protects T1037.001 Logon Script (Windows)
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)