Esc
Logon Script (Windows) - T1037.001
(ATT&CK® Technique)
Definition
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1037001["Logon Script (Windows)"] --> |modifies| UserInitScript["User Init Script"]; class T1037001 OffensiveTechniqueNode;
class UserInitScript ArtifactNode; click UserInitScript href "/dao/artifact/d3f:UserInitScript";
click T1037001 href "/offensive-technique/attack/T1037.001/"; click UserInitScript href "/dao/artifact/d3f:UserInitScript"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1037001["Logon Script (Windows)"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1037001["Logon Script (Windows)"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileEviction["File Eviction"] -->
| deletes | UserInitScript["User Init Script"];
FileEviction["File Eviction"] -.->
| may-evict | T1037001["Logon Script (Windows)"] ;
class FileEviction DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | UserInitScript["User Init Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1037001["Logon Script (Windows)"] ;
class FileEncryption DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ContentQuarantine["Content Quarantine"] -->
| quarantines | UserInitScript["User Init Script"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1037001["Logon Script (Windows)"] ;
class ContentQuarantine DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] -->
| modifies | UserInitScript["User Init Script"];
ContentModification["Content Modification"] -.->
| may-isolate | T1037001["Logon Script (Windows)"] ;
class ContentModification DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; DecoyFile["Decoy File"] -->
| spoofs | UserInitScript["User Init Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1037001["Logon Script (Windows)"] ;
class DecoyFile DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | UserInitScript["User Init Script"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1037001["Logon Script (Windows)"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | UserInitScript["User Init Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1037001["Logon Script (Windows)"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | UserInitScript["User Init Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1037001["Logon Script (Windows)"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
| restores | UserInitScript["User Init Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1037001["Logon Script (Windows)"] ;
class RestoreFile DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1037001["Logon Script (Windows)"] ;
class FileAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | UserInitScript["User Init Script"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1037001["Logon Script (Windows)"] ;
class ContentFiltering DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; LocalFilePermissions["Local File Permissions"] -->
| restricts | UserInitScript["User Init Script"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1037001["Logon Script (Windows)"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | UserInitScript["User Init Script"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1037001["Logon Script (Windows)"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";