Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the
HKCU\Environment\UserInitMprLogonScript Registry key.
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
|Restrict Registry Permissions
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
Monitor executed commands and arguments for logon scripts
Monitor for newly constructed processes and/or command-lines that execute logon scripts
|Windows Registry Key Creation
Monitor for the creation/modification to Registry keys associated with Windows logon scrips, nameley