Boot or Logon Initialization Scripts: Logon Script (Windows)

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.[1] This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.[2]

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

ID: T1037.001
Sub-technique of:  T1037
Tactics: Persistence, Privilege Escalation
Platforms: Windows
Data Sources: Process monitoring, Windows Registry
Version: 1.0
Created: 10 January 2020
Last Modified: 24 March 2020

Procedure Examples

Name Description
APT28

An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[6]

Cobalt Group

Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript.[7]

JHUHUGIT

JHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[3][4]

Zebrocy

Zebrocy performs persistence with a logon script via adding to the Registry key HKCU\Environment\UserInitMprLogonScript.[5]

Mitigations

Mitigation Description
Restrict Registry Permissions

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.

Detection

Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript.

Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.

References