Skip to content

T1037.003 Network Logon Script

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.

Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Item Value
ID T1037.003
Sub-techniques T1037.001, T1037.002, T1037.003, T1037.004, T1037.005
Tactics TA0003, TA0004
Platforms Windows
Version 1.0
Created 10 January 2020
Last Modified 24 March 2020


ID Mitigation Description
M1022 Restrict File and Directory Permissions Restrict write access to logon scripts to specific administrators.


ID Data Source Data Component
DS0026 Active Directory Active Directory Object Modification
DS0017 Command Command Execution
DS0022 File File Creation
DS0009 Process Process Creation