T1037.001 Logon Script (Windows)
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.1 This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.2
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
| Item | Value |
|---|---|
| ID | T1037.001 |
| Sub-techniques | T1037.001, T1037.002, T1037.003, T1037.004, T1037.005 |
| Tactics | TA0003, TA0004 |
| Platforms | Windows |
| Version | 1.0 |
| Created | 10 January 2020 |
| Last Modified | 24 March 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 | An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.9 |
| S0438 | Attor | Attor‘s dispatcher can establish persistence via adding a Registry key with a logon script HKEY_CURRENT_USER\Environment “UserInitMprLogonScript” .3 |
| G0080 | Cobalt Group | Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript.8 |
| S0044 | JHUHUGIT | JHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.56 |
| S0526 | KGH_SPY | KGH_SPY has the ability to set the HKCU\Environment\UserInitMprLogonScript Registry key to execute logon scripts.4 |
| S0251 | Zebrocy | Zebrocy performs persistence with a logon script via adding to the Registry key HKCU\Environment\UserInitMprLogonScript.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1024 | Restrict Registry Permissions | Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
| DS0024 | Windows Registry | Windows Registry Key Creation |
References
-
Microsoft. (2005, January 21). Creating logon scripts. Retrieved April 27, 2016. ↩
-
Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part 18. Retrieved November 15, 2019. ↩
-
Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. ↩
-
Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. ↩
-
ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. ↩
-
Mercer, W., et al. (2017, October 22). “Cyber Conflict” Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. ↩
-
ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. ↩
-
Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. ↩
-
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. ↩