Scripts can be launched whenever a user logs onto a system. Utilising this we’re able to move laterally in an environment if we can push scripts to multiple assets (for example through group policy), or we can maintain persistence through this technique.
Logon Scripts Analysis
RED TEAM: ATTACK
In this example we’ve used 1 registry key to ensure that whenever a particular user logs onto a system calc.exe is spawned.
reg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d C:\Windows\System32\calc.exe
BLUE TEAM: DEFEND
By monitoring this registry key within our SIEM we can detect the malicious modification and also see this being launched by userinit.exe which is a good indicator that logon scripts are being utilised to launch this program.