Technique on mitre.org

T1037: Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Subtechniques

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may consist of logon scripts for unusual access by abnormal users or at abnormal times.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Creation	Description	Monitor for newly constructed windows registry keys that may use scripts automatically executed at boot or logon initialization to establish persistence.

ID	DS0026	Data source and component	Active Directory: Active Directory Object Modification	Description	Monitor for changes made in the Active Directory that may use scripts automatically executed at boot or logon initialization to establish persistence.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files that may use scripts automatically executed at boot or logon initialization to establish persistence.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to files that are modified by unusual accounts outside of normal administration duties.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may use scripts automatically executed at boot or logon initialization to establish persistence. Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key `HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript`. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path. Analytic 1 - Boot or Logon Initialization Scripts `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="regadd\EnvironmentUserInitMprLogonScript"`

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may consist of logon scripts for unusual access by abnormal users or at abnormal times.
DS0024	Windows Registry: Windows Registry Key Creation	Monitor for newly constructed windows registry keys that may use scripts automatically executed at boot or logon initialization to establish persistence.
DS0026	Active Directory: Active Directory Object Modification	Monitor for changes made in the Active Directory that may use scripts automatically executed at boot or logon initialization to establish persistence.
DS0022	File: File Creation	Monitor for newly constructed files that may use scripts automatically executed at boot or logon initialization to establish persistence.
DS0022	File: File Modification	Monitor for changes made to files that are modified by unusual accounts outside of normal administration duties.
DS0009	Process: Process Creation	Monitor for newly executed processes that may use scripts automatically executed at boot or logon initialization to establish persistence. Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key `HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript`. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path. Analytic 1 - Boot or Logon Initialization Scripts `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="regadd\EnvironmentUserInitMprLogonScript"`

Mitigation

ID	M1024	Name	Restrict Registry Permissions	Description	Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.

ID	M1022	Name	Restrict File and Directory Permissions	Description	Restrict write access to logon scripts to specific administrators.

ID	Name	Description
M1024	Restrict Registry Permissions	Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
M1022	Restrict File and Directory Permissions	Restrict write access to logon scripts to specific administrators.