Ctrl+K

T1037.001 - Logon Script (Windows)

T1037.001 - Logon Script (Windows)#

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Atomic Tests#

Atomic Test #1 - Logon ScriptsAdds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key#

that can be viewed in the Registry Editor. Supported Platforms: windows#### Attack Commands: Run with command_prompt

echo "echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt" > %temp%\art.bat
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "%temp%\art.bat" /f

Invoke-AtomicTest T1037.001 -TestNumbers 1

Cleanup:#

REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
del %temp%\art.bat >nul 2>&1
del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1

Invoke-AtomicTest T1037.001 -TestNumbers 1 -Cleanup

Detection#

Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript.

Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.

Contents