Technique on mitre.org

T1037.001: Logon Script (Windows)

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_persistence: PT-CR-1350: Script_Path_Attribute_Changed: Attempting to change the LDAP attribute responsible for launching scripts at logon mitre_attck_persistence: PT-CR-667: Userinitmprlogonscript_Modify: A process changed a registry parameter value mitre_attck_persistence: PT-CR-1347: Logon_Script_Execution: A user attempted to run a script during login

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments for logon scripts

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly constructed processes and/or command-lines that execute logon scripts Analytic 1 - Boot or Logon Initialization Scripts `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="regadd\EnvironmentUserInitMprLogonScript"`

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Creation	Description	Monitor for the creation to Registry keys associated with Windows logon scrips, nameley `HKCU\Environment\UserInitMprLogonScript`. Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path. Analytic 1 - Boot or Logon Initialization Scripts `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 14, 13)) TargetObject= "\Environment*UserInitMprLogonScript")`

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments for logon scripts
DS0009	Process: Process Creation	Monitor for newly constructed processes and/or command-lines that execute logon scripts Analytic 1 - Boot or Logon Initialization Scripts `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="regadd\EnvironmentUserInitMprLogonScript"`
DS0024	Windows Registry: Windows Registry Key Creation	Monitor for the creation to Registry keys associated with Windows logon scrips, nameley `HKCU\Environment\UserInitMprLogonScript`. Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path. Analytic 1 - Boot or Logon Initialization Scripts `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 14, 13)) TargetObject= "\Environment*UserInitMprLogonScript")`

Mitigation

ID	M1024	Name	Restrict Registry Permissions	Description	Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.

ID	Name	Description
M1024	Restrict Registry Permissions	Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.