Boot or Logon Initialization Scripts: Logon Script (Windows) (T1037.001)
Tactics: Persistence, Privilege Escalation · Platforms: Windows
The interactive view maps 1 detection strategy, 1 mitigation, 2 threat groups, 4 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Boot or Logon Initialization Scripts (T1037).
Overview
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.