Boot or Logon Initialization Scripts: Network Logon Script

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.[1] These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.

Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

ID: T1037.003
Sub-technique of:  T1037
Tactics: Persistence, Privilege Escalation
Platforms: Windows
Data Sources: File monitoring, Process monitoring
Version: 1.0
Created: 10 January 2020
Last Modified: 24 March 2020

Mitigations

Mitigation Description
Restrict File and Directory Permissions

Restrict write access to logon scripts to specific administrators.

Detection

Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.

References