Description
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
Platforms
Mitigations (1)
Restrict Registry PermissionsM1024
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | An [APT28](https://attack.mitre.org/groups/G0007) loader Trojan adds the Registry key <code>HKCU\Environment\UserInitMprLogonScript</code> to establis... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has added persistence by registering the file name for the next stage malware under <code>HKCU\E... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438)'s dispatcher can establish persistence via adding a Registry key with a logon script <code>HKEY_CURRE... |
| S0044 | JHUHUGIT | Malware | [JHUHUGIT](https://attack.mitre.org/software/S0044) has registered a Windows shell script under the Registry key <code>HKCU\Environment\UserInitMprLog... |
| S0526 | KGH_SPY | Malware | [KGH_SPY](https://attack.mitre.org/software/S0526) has the ability to set the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key to exe... |
| S0251 | Zebrocy | Malware | [Zebrocy](https://attack.mitre.org/software/S0251) performs persistence with a logon script via adding to the Registry key <code>HKCU\Environment\User... |
References
- Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part 18. Retrieved November 15, 2019.
- Microsoft. (2005, January 21). Creating logon scripts. Retrieved April 27, 2016.
Frequently Asked Questions
What is T1037.001 (Logon Script (Windows))?
T1037.001 is a MITRE ATT&CK technique named 'Logon Script (Windows)'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log...
How can T1037.001 be detected?
Detection of T1037.001 (Logon Script (Windows)) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1037.001?
There are 1 documented mitigations for T1037.001. Key mitigations include: Restrict Registry Permissions.
Which threat groups use T1037.001?
Known threat groups using T1037.001 include: APT28, Cobalt Group.