Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1037.001 | Logon Script (Windows) |
| CM-7 | Least Functionality | Protects | T1037.001 | Logon Script (Windows) |
| attribute.integrity.variety.Modify configuration | Modified configuration or services | related-to | T1037.001 | Boot or Logon Initialization Scripts: Logon Script (Windows) |