Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the
HKCU\Environment\UserInitMprLogonScript Registry key.
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
|M1024||Restrict Registry Permissions||
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
|ID||Data Source||Data Component|
|DS0024||Windows Registry||Windows Registry Key Creation|
Monitor for changes to Registry values associated with Windows logon scrips, nameley
Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.