PT Sandbox

Profound defense against sophisticated malware and zero-day threats

T1037.003: Network Logon Script

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.

Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for logon scripts

IDDS0026Data source and componentActive Directory: Active Directory Object ModificationDescription

Monitor for changes made in the Active Directory that may use network logon scripts automatically executed at logon initialization to establish persistence.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to files for unexpected modifications to unusual accounts outside of normal administration duties

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly constructed processes and/or command-lines that execute logon scripts

IDDS0022Data source and componentFile: File CreationDescription

Monitor for newly constructed files by unusual accounts outside of normal administration duties

Mitigation

IDM1022NameRestrict File and Directory PermissionsDescription

Restrict write access to logon scripts to specific administrators.