Description
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts) Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
Threat-Mapped Scoring
Threat Score:
0.0
Industry:
Threat Priority:
Unclassified
ATT&CK Kill Chain Metadata
- Tactics: persistence, privilege-escalation
- Platforms: Windows
-
Detection Guidance:
Monitor for changes to Registry values associated with Windows logon scrips, nameley <code>HKCU\Environment\UserInitMprLogonScript</code>. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.