Logon Script (Windows)

Information

• Name: Logon Script (Windows)

• ID: T1037.001

• Tactics: TA0003, TA0004

• Technique: T1037

Introduction

The Logon Script (Windows) sub-technique (T1037.001) within the MITRE ATT&CK framework refers to adversaries leveraging Windows logon scripts to execute malicious code or commands automatically upon user logon. Logon scripts are traditionally used by administrators to configure user environments, map network drives, or deploy software. Attackers exploit these scripts to achieve persistence, escalate privileges, or execute malicious payloads without immediate detection.

Deep Dive Into Technique

Logon scripts in Windows environments are typically batch (.bat), VBScript (.vbs), or PowerShell (.ps1) scripts executed automatically during user authentication. These scripts reside either locally on the system or remotely on domain controllers, typically in locations such as:

• Local paths:

  • C:\Windows\System32\GroupPolicy\User\Scripts\Logon\

  • C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\

• Domain controller paths:

  • \\<DomainController>\SYSVOL\<DomainName>\scripts\

Attackers leveraging this technique typically perform the following steps:

1. Gain initial access to the target system or network through phishing, exploitation, or stolen credentials.

2. Identify the logon scripts' location and permissions.

3. Modify existing legitimate scripts or create new malicious scripts.

4. Ensure scripts execute automatically upon user or system logon.

Common methods of exploitation include:

• Injecting malicious commands into legitimate scripts.

• Creating new scripts that execute malware or establish command-and-control (C2) channels.

• Leveraging Group Policy Objects (GPOs) to distribute malicious scripts across multiple machines in a domain environment.

Adversaries may use scripting languages such as PowerShell or VBScript, providing flexibility and obfuscation capabilities to evade detection.

When this Technique is Usually Used

Attackers commonly use this sub-technique during multiple stages of cyber-attacks, including:

• Persistence: Ensuring continued access to compromised systems by automatically executing malicious scripts upon user logon or system startup.

• Privilege Escalation: Leveraging scripts executed under higher privilege contexts to escalate privileges.

• Lateral Movement: Deploying scripts via Group Policy Objects (GPOs) to propagate across multiple systems within an enterprise.

• Execution: Executing payloads and malware automatically without immediate user intervention, thus maintaining stealth.

Typical scenarios include:

• Advanced Persistent Threat (APT) groups embedding malicious scripts into existing logon scripts to maintain long-term access.

• Insider threats modifying scripts for unauthorized access or data exfiltration.

• Malware campaigns utilizing logon scripts to ensure continued execution after initial compromise.

How this Technique is Usually Detected

Detection methods and indicators of compromise (IoCs) include:

• Monitoring Script Locations:

  • Regular auditing of script directories (SYSVOL, local Group Policy script locations) for unauthorized changes or additions.

  • File integrity monitoring to detect modifications to known legitimate scripts.

• Event Log Analysis:

  • Windows Security Event Logs (e.g., Event ID 4624 for logon events).

  • Group Policy operational logs (Microsoft-Windows-GroupPolicy/Operational) to detect changes or script deployments.

• Endpoint Protection and EDR:

  • Endpoint Detection and Response (EDR) solutions monitoring script execution and anomalous behaviors.

  • Antivirus and anti-malware tools scanning for known malicious scripts or suspicious script execution patterns.

• Behavioral Analytics:

  • Identifying unusual user logon patterns, script execution anomalies, or abnormal processes spawned by scripts.

  • Leveraging Security Information and Event Management (SIEM) systems to correlate logon script executions with suspicious activities.

Specific Indicators of Compromise (IoCs):

• Unexpected or unauthorized scripts appearing in standard logon script directories.

• Scripts executing commands to download payloads from external or suspicious IP addresses or URLs.

• Unusual processes or network connections initiated shortly after user logon.

Why it is Important to Detect This Technique

Early detection of malicious logon scripts is crucial due to the following potential impacts on systems and networks:

• Persistence and Long-term Compromise:

  • Attackers can maintain prolonged unauthorized access, allowing them to conduct espionage, data exfiltration, or sabotage.

• Privilege Escalation Risks:

  • Scripts running under elevated privileges can escalate attacker privileges, increasing the severity and scope of compromise.

• Lateral Movement and Rapid Propagation:

  • Malicious scripts distributed via Group Policy Objects can quickly infect multiple systems, exponentially increasing the attack surface.

• Stealth and Difficulty of Detection:

  • Leveraging legitimate administrative mechanisms (logon scripts) allows attackers to blend in with normal administrative activity, making detection challenging.

• Data Exfiltration and Operational Disruption:

  • Malicious scripts can exfiltrate sensitive data, disrupt operations, or install additional malware payloads, severely impacting business continuity and security posture.

Early detection and rapid response minimize potential damage, limit attacker footholds, and reduce remediation costs significantly.

Examples

Real-world examples of attackers using logon scripts include:

• APT32 (OceanLotus):

  • Known for modifying logon scripts in compromised environments to maintain persistence and execute PowerShell scripts for command-and-control communication.

  • Typically targeted Southeast Asian organizations and government entities, embedding obfuscated PowerShell commands into logon scripts for stealthy execution.

• FIN7 Group:

  • Utilized logon scripts to deploy malware payloads across multiple compromised hosts in financial and retail sectors.

  • Scripts executed reconnaissance commands, established persistence, and downloaded additional malware for data exfiltration.

• TrickBot Malware Campaigns:

  • Leveraged Group Policy Objects and logon scripts to propagate ransomware payloads like Ryuk across enterprise environments.

  • Malicious scripts executed commands to disable security tools, establish persistence, and initiate ransomware encryption.

Typical attack scenario:

1. Initial compromise via phishing email or exploitation.

2. Attacker gains administrative privileges and accesses domain controllers or local machines.

3. Malicious scripts are embedded into existing or new logon scripts.

4. Scripts execute automatically upon user logon, downloading additional payloads or establishing persistent backdoor connections.

5. Attackers leverage established persistence to escalate privileges, move laterally, and exfiltrate sensitive data.

Tools and methods commonly observed:

• PowerShell scripts obfuscated with Base64 encoding or encryption.

• VBScript or batch scripts executing payload downloads from external servers.

• Group Policy manipulation tools (e.g., PowerSploit, Empire) to automate malicious script deployment via GPOs.

Impacts observed in real-world attacks:

• Unauthorized persistent access leading to long-term espionage.

• Rapid infection and lateral movement across enterprise networks.

• Significant data breaches and ransomware infections causing operational disruption and financial loss.