Boot or Logon Initialization Scripts: Logon Script (Windows)

Other sub-techniques of Boot or Logon Initialization Scripts (5)

ID	Name
T1037.001	Logon Script (Windows)
T1037.002	Login Hook
T1037.003	Network Logon Script
T1037.004	RC Scripts
T1037.005	Startup Items

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.^[1] This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.^[2]

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

ID: T1037.001

Sub-technique of: T1037

ⓘ

Tactics: Persistence, Privilege Escalation

ⓘ

Platforms: Windows

Version: 1.0

Created: 10 January 2020

Last Modified: 24 March 2020

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
G0007	APT28	An APT28 loader Trojan adds the Registry key `HKCU\Environment\UserInitMprLogonScript` to establish persistence.^[3]
S0438	Attor	Attor's dispatcher can establish persistence via adding a Registry key with a logon script `HKEY_CURRENT_USER\Environment "UserInitMprLogonScript"` .^[4]
G0080	Cobalt Group	Cobalt Group has added persistence by registering the file name for the next stage malware under `HKCU\Environment\UserInitMprLogonScript`.^[5]
S0044	JHUHUGIT	JHUHUGIT has registered a Windows shell script under the Registry key `HKCU\Environment\UserInitMprLogonScript` to establish persistence.^[6]^[7]
S0526	KGH_SPY	KGH_SPY has the ability to set the `HKCU\Environment\UserInitMprLogonScript` Registry key to execute logon scripts.^[8]
S0251	Zebrocy	Zebrocy performs persistence with a logon script via adding to the Registry key `HKCU\Environment\UserInitMprLogonScript`.^[9]

Mitigations

ID	Mitigation	Description
M1024	Restrict Registry Permissions	Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor executed commands and arguments for logon scripts
DS0009	Process	Process Creation	Monitor for newly constructed processes and/or command-lines that execute logon scripts Analytic 1 - Boot or Logon Initialization Scripts `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="regadd\EnvironmentUserInitMprLogonScript"`
DS0024	Windows Registry	Windows Registry Key Creation	Monitor for the creation to Registry keys associated with Windows logon scrips, nameley `HKCU\Environment\UserInitMprLogonScript`. Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path. Analytic 1 - Boot or Logon Initialization Scripts `(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode IN (12, 14, 13)) TargetObject= "\EnvironmentUserInitMprLogonScript")`

DS0017

Command

Command Execution

Monitor executed commands and arguments for logon scripts

DS0009

Process

Process Creation

Monitor for newly constructed processes and/or command-lines that execute logon scripts

Analytic 1 - Boot or Logon Initialization Scripts

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="regadd\EnvironmentUserInitMprLogonScript"

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for the creation to Registry keys associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript.

Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.