Boot or Logon Initialization Scripts: Logon Script (Windows)

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.[1] This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.[2]

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

ID: T1037.001
Sub-technique of:  T1037
Platforms: Windows
Version: 1.0
Created: 10 January 2020
Last Modified: 24 March 2020

Procedure Examples

ID Name Description
G0007 APT28

An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[3]

S0438 Attor

Attor's dispatcher can establish persistence via adding a Registry key with a logon script HKEY_CURRENT_USER\Environment "UserInitMprLogonScript" .[4]

G0080 Cobalt Group

Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript.[5]


JHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.[6][7]


KGH_SPY has the ability to set the HKCU\Environment\UserInitMprLogonScript Registry key to execute logon scripts.[8]

S0251 Zebrocy

Zebrocy performs persistence with a logon script via adding to the Registry key HKCU\Environment\UserInitMprLogonScript.[9]


ID Mitigation Description
M1024 Restrict Registry Permissions

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.


ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for logon scripts

DS0009 Process Process Creation

Monitor for newly constructed processes and/or command-lines that execute logon scripts

Analytic 1 - Boot or Logon Initialization Scripts

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="regadd\EnvironmentUserInitMprLogonScript"

DS0024 Windows Registry Windows Registry Key Creation

Monitor for the creation to Registry keys associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript.

Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.

Analytic 1 - Boot or Logon Initialization Scripts

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 14, 13)) TargetObject= "\Environment*UserInitMprLogonScript")