Skip to content

T1037.001 Logon Script (Windows)

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.1 This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.2

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Item Value
ID T1037.001
Sub-techniques T1037.001, T1037.002, T1037.003, T1037.004, T1037.005
Tactics TA0003, TA0004
Platforms Windows
Version 1.0
Created 10 January 2020
Last Modified 24 March 2020

Procedure Examples

ID Name Description
G0007 APT28 An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.8
S0438 Attor Attor‘s dispatcher can establish persistence via adding a Registry key with a logon script HKEY_CURRENT_USER\Environment “UserInitMprLogonScript” .6
G0080 Cobalt Group Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript.9
S0044 JHUHUGIT JHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.45
S0526 KGH_SPY KGH_SPY has the ability to set the HKCU\Environment\UserInitMprLogonScript Registry key to execute logon scripts.7
S0251 Zebrocy Zebrocy performs persistence with a logon script via adding to the Registry key HKCU\Environment\UserInitMprLogonScript.3


ID Mitigation Description
M1024 Restrict Registry Permissions Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.


ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Creation