security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1037/T1037.md
T
caseysmithrc a1dddca13c fix
2018-05-24 07:49:17 -06:00

44 lines
2.2 KiB
Markdown
Raw Blame History

# T1037 - Logon Scripts
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037)
<blockquote>===Windows===
Windows allows logon scripts to be run whenever a specific user or group of users log into a system. (Citation: TechNet Logon Scripts) The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server.
If adversaries can access these scripts, they may insert additional code into the logon script to execute their tools when a user logs in. This code can allow them to maintain persistence on a single system, if it is a local script, or to move laterally within a network, if the script is stored on a central server and pushed to many systems. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
===Mac===
Mac allows login and logoff hooks to be run as root whenever a specific user logs into or out of a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike startup items, a login hook executes as root (Citation: creating login hook). There can only be one login hook at a time though. If adversaries can access these scripts, they can insert additional code to the script to execute their tools when a user logs in.
Detection: Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties.
Platforms: macOS, Windows
Data Sources: File monitoring, Process monitoring
System Requirements: Write access to system or domain logon scripts</blockquote>
## Atomic Tests
- [Atomic Test #1 - Logon Scripts](#atomic-test-1---logon-scripts)
<br/>
## Atomic Test #1 - Logon Scripts
Added Via Reg.exe
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script_command | Command To Execute | String | cmd.exe /c calc.exe|
#### Run it with `command_prompt`!
```
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}"
```
<br/>
Reference in New Issue View Git Blame Copy Permalink