T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)
Author: Stefan Waldvogel
LimaCharlie vs. Logon Script (Windows)
Overview:
Description from ATT&CK
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1037.001 -ShowDetailsBrief
Invoke-AtomicTest T1037.001 -CheckPrereqs
Invoke-AtomicTest T1037.001 -GetPrereqs
Invoke-AtomicTest T1037.001 -TestNumbers 1
Invoke-AtomicTest T1037.001 -Cleanup
Changes:
-none-
Limitations:
Results:
This section has 1 subtests.
Invoke-AtomicTest T1037.001 -TestNumbers 1 sigma detected
Description from ATT&CK
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1037.001 -ShowDetailsBrief
Invoke-AtomicTest T1037.001 -CheckPrereqs
Invoke-AtomicTest T1037.001 -GetPrereqs
Invoke-AtomicTest T1037.001 -TestNumbers 1
Invoke-AtomicTest T1037.001 -Cleanup
Changes:
-none-
Limitations:
Results:
This section has 1 subtests.
Invoke-AtomicTest T1037.001 -TestNumbers 1 sigma detected
© 2021. This work is licensed under a CC BY-SA 4.0 license