T1037.003 Network Logon Script

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.¹ These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.

Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Item	Value
ID	T1037.003
Sub-techniques	T1037.001, T1037.002, T1037.003, T1037.004, T1037.005
Tactics	TA0003, TA0004
Platforms	Windows
Version	1.0
Created	10 January 2020
Last Modified	24 March 2020

Mitigations

ID	Mitigation	Description
M1022	Restrict File and Directory Permissions	Restrict write access to logon scripts to specific administrators.

Detection

ID	Data Source	Data Component
DS0026	Active Directory	Active Directory Object Modification
DS0017	Command	Command Execution
DS0022	File	File Creation
DS0009	Process	Process Creation

References

Daniel Petri. (2009, January 8). Setting up a Logon Script through Active Directory Users and Computers in Windows Server 2008. Retrieved November 15, 2019. ↩