Boot or Logon Initialization Scripts: Logon Script (Windows)
Other sub-techniques of Boot or Logon Initialization Scripts (5)
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript
Registry key.(Citation: Hexacorn Logon Scripts)
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
Procedure Examples |
|
Name | Description |
---|---|
APT28 |
An APT28 loader Trojan adds the Registry key |
Attor |
Attor's dispatcher can establish persistence via adding a Registry key with a logon script |
JHUHUGIT |
JHUHUGIT has registered a Windows shell script under the Registry key |
KGH_SPY |
KGH_SPY has the ability to set the |
Zebrocy |
Zebrocy performs persistence with a logon script via adding to the Registry key |
Cobalt Group |
Cobalt Group has added persistence by registering the file name for the next stage malware under |
Mitigations |
|
Mitigation | Description |
---|---|
Restrict Registry Permissions |
Restrict the ability to modify certain hives or keys in the Windows Registry. |
Detection
Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\Environment\UserInitMprLogonScript
.
Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.
References
- Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part 18. Retrieved November 15, 2019.
- Microsoft. (2005, January 21). Creating logon scripts. Retrieved April 27, 2016.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
Связанные риски
Риск | Связи | |
---|---|---|
Закрепление злоумышленника в ОС из-за
возможности помещения скрипта в автозагрузку через Windows logon scripts в ОС Windows
Повышение привилегий
НСД
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.