DetailedDraft

CAPEC-564Run Software at Logon

Abstraction
Detailed
Status
Draft

Description

Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.

Related weaknesses· 1

CWE-284

MITRE ATT&CK crosswalk· 4

T1037: Boot or Logon Initialization ScriptsT1543.001: Create or Modify System Process: Launch AgentT1543.004: Create or Modify System Process: Launch DaemonT1547: Boot or Logon Autostart Execution

Related attack patterns· 1

CAPEC-542 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-284100%live

Related to4

TypeTargetConfidenceTier
SubTechniqueLaunch Agentt1543.001100%live
SubTechniqueLaunch Daemont1543.004100%live
TechniqueBoot or Logon Initialization Scriptst1037100%live
TechniqueBoot or Logon Autostart Executiont1547100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Modification of Registry Run Keys
Sub-technique
Logon Script (Windows)
CAPEC
Local Execution of Code
Technique
Boot or Logon Autostart Execution
Technique
Boot or Logon Initialization Scripts
CAPEC
Install Rootkit
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.