Description
Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
Platforms
Mitigations (1)
Restrict File and Directory PermissionsM1022
Restrict write access to logon scripts to specific administrators.
References
Frequently Asked Questions
What is T1037.003 (Network Logon Script)?
T1037.003 is a MITRE ATT&CK technique named 'Network Logon Script'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects....
How can T1037.003 be detected?
Detection of T1037.003 (Network Logon Script) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1037.003?
There are 1 documented mitigations for T1037.003. Key mitigations include: Restrict File and Directory Permissions.
Which threat groups use T1037.003?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.