| ID | Name |
|---|---|
| T1037.001 | Logon Script (Windows) |
| T1037.002 | Login Hook |
| T1037.003 | Network Logon Script |
| T1037.004 | RC Scripts |
| T1037.005 | Startup Items |
Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.[1] These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.
Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
| ID | Mitigation | Description |
|---|---|---|
| M1022 | Restrict File and Directory Permissions |
Restrict write access to logon scripts to specific administrators. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0367 | Detect Network Logon Script Abuse via Multi-Event Correlation on Windows | AN1034 |
Correlates Group Policy updates that configure network logon scripts with subsequent remote file execution behaviors triggered by user logons to identify potential persistence or execution chains tied to adversarial manipulation of logon scripts. |