T1037.001SubTechniquepersistenceprivilege-escalationagent-callable

T1037.001Logon Script (Windows)

Sub-technique of T1037

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts) Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

ATT&CK tactics· 2

PersistencePrivilege Escalation

References

  1. https://attack.mitre.org/techniques/T1037/001
  2. https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx
  3. http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.