| ID | Name |
|---|---|
| T1037.001 | Logon Script (Windows) |
| T1037.002 | Login Hook |
| T1037.003 | Network Logon Script |
| T1037.004 | RC Scripts |
| T1037.005 | Startup Items |
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.[1] This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.[2]
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 |
An APT28 loader Trojan adds the Registry key |
| S0438 | Attor |
Attor's dispatcher can establish persistence via adding a Registry key with a logon script |
| G0080 | Cobalt Group |
Cobalt Group has added persistence by registering the file name for the next stage malware under |
| S0044 | JHUHUGIT |
JHUHUGIT has registered a Windows shell script under the Registry key |
| S0526 | KGH_SPY |
KGH_SPY has the ability to set the |
| S0251 | Zebrocy |
Zebrocy performs persistence with a logon script via adding to the Registry key |
| ID | Mitigation | Description |
|---|---|---|
| M1024 | Restrict Registry Permissions |
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
| DS0024 | Windows Registry | Windows Registry Key Creation |
Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript.
Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.