Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the
HKCU\Environment\UserInitMprLogonScript Registry key.
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
|M1024||Restrict Registry Permissions||
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments for logon scripts
Monitor for newly constructed processes and/or command-lines that execute logon scripts
|DS0024||Windows Registry||Windows Registry Key Creation||
Monitor for the creation/modification to Registry keys associated with Windows logon scrips, nameley