- Tactics
- Persistence , Privilege Escalation
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1037.003
Description
Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.
Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Persistence, Privilege Escalation tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1037 — Boot or Logon Initialization Scripts
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1068 — Exploitation for Privilege Escalation
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1112 — Modify Registry
- T1133 — External Remote Services
- T1134 — Access Token Manipulation
- T1136 — Create Account
- T1137 — Office Application Startup
- T1176 — Software Extensions