T1037.003SubTechniquepersistenceprivilege-escalationagent-callable

T1037.003Network Logon Script

Sub-technique of T1037

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

ATT&CK tactics· 2

PersistencePrivilege Escalation

References

  1. https://attack.mitre.org/techniques/T1037/003
  2. https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.