Logon Scripts

Scripts can be launched whenever a user logs onto a system. Utilising this we’re able to move laterally in an environment if we can push scripts to multiple assets (for example through group policy), or we can maintain persistence through this technique.

Logon Scripts Analysis

Lab Example


In this example we’ve used 1 registry key to ensure that whenever a particular user logs onto a system calc.exe is spawned.

reg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d C:\Windows\System32\calc.exe

T1037 - Logon Scripts


By monitoring this registry key within our SIEM we can detect the malicious modification and also see this being launched by userinit.exe which is a good indicator that logon scripts are being utilised to launch this program.

T1037 - Logon Scripts