Network Logon Script

Information

• Name: Network Logon Script

• ID: T1037.003

• Tactics: TA0003, TA0004

• Technique: T1037

Introduction

Network Logon Script (T1037.003) is a sub-technique within the MITRE ATT&CK framework under the parent technique "Boot or Logon Initialization Scripts (T1037)." Attackers leverage this method by manipulating scripts automatically executed during user logon over a network. These scripts typically reside on domain controllers and are executed by client systems upon user authentication, enabling adversaries to achieve persistence, privilege escalation, or lateral movement within compromised environments.

Deep Dive Into Technique

Network logon scripts are commonly configured within Active Directory (AD) environments and are executed each time a user authenticates to a domain. Administrators use these scripts for legitimate purposes such as mapping network drives, deploying software, or configuring user environments. Attackers exploit these scripts to execute malicious code persistently and stealthily.

Technical details include:

• Script Locations and Types:

  • Typically located on domain controllers within the NETLOGON share (\\<DomainController>\NETLOGON\).

  • Common script types include batch files (.bat), VBScript (.vbs), PowerShell (.ps1), or even executables.

• Execution Flow:

  1. User authenticates to the domain.

  2. Domain controller instructs the client to execute assigned logon scripts.

  3. Scripts execute under the context of the logged-in user, potentially granting attackers user-level access or privileges.

• Manipulation Techniques:

  • Attackers may modify existing legitimate scripts or introduce new malicious scripts.

  • Scripts can be edited directly on domain controllers or through compromised administrative accounts with sufficient privileges.

  • Malicious scripts may include commands to download payloads, establish reverse shells, or execute reconnaissance tasks.

• Privilege Requirements:

  • Typically requires administrative privileges or sufficient permissions to modify scripts on domain controllers or related Group Policy Objects (GPOs).

  • Attackers may escalate privileges first or compromise privileged accounts to manipulate scripts.

When this Technique is Usually Used

Attackers typically employ the Network Logon Script technique during specific phases of the cyberattack lifecycle, including:

• Persistence:

  • Ensuring continuous access to compromised networks by embedding malicious code in scripts executed at every user logon.

  • Maintaining long-term footholds within enterprise environments.

• Privilege Escalation:

  • Exploiting scripts executed by users with higher privileges to elevate attacker permissions.

• Lateral Movement:

  • Spreading malicious payloads or commands across numerous hosts simultaneously through centralized logon scripts.

  • Achieving rapid propagation across enterprise networks.

• Reconnaissance and Information Gathering:

  • Using scripts to execute reconnaissance commands, gather credentials, or collect sensitive data during user logon events.

How this Technique is Usually Detected

Detection typically involves monitoring script execution, auditing changes to scripts, and observing unusual behaviors or anomalies. Effective detection methods include:

• Monitoring and Auditing:

  • Regularly auditing the contents of logon scripts stored in the NETLOGON share.

  • Monitoring file system modifications on domain controllers, specifically within script directories.

  • Tracking changes to Group Policy Objects (GPOs) linked to logon scripts through Windows Event Logs (Event IDs 4662, 5136, 5141).

• Endpoint Detection and Response (EDR) Solutions:

  • EDR tools identifying unusual script execution patterns, suspicious child processes, or unexpected network connections initiated from logon scripts.

• Behavioral Analysis:

  • Detecting abnormal script behavior, such as execution of PowerShell commands downloading external payloads or establishing remote connections.

  • Monitoring network traffic for outbound connections initiated by scripts during logon events.

• Indicators of Compromise (IoCs):

  • Unexpected or unauthorized scripts in the NETLOGON share.

  • Suspicious commands within scripts (e.g., downloaders, encoded payloads, reverse shell commands).

  • Unusual user account behavior or unexpected privilege escalations following logon script execution.

Why it is Important to Detect This Technique

Early detection of malicious network logon scripts is crucial due to the severe impacts and risks posed to enterprise environments:

• Persistent Access:

  • Attackers gain continuous and stealthy persistence, complicating remediation efforts and increasing dwell time.

• Rapid Lateral Movement:

  • Malicious scripts can quickly propagate malware or commands across many endpoints simultaneously, significantly accelerating attacker reach and impact.

• Credential Compromise:

  • Scripts executed at logon can harvest credentials, enabling attackers to further escalate privileges or expand access.

• Data Exfiltration and Espionage:

  • Attackers can leverage scripts to collect sensitive information, intellectual property, or confidential data, posing significant operational and reputational risks.

• Operational Disruption:

  • Malicious scripts can lead to system instability, outages, or loss of productivity, directly impacting business continuity.

Detecting and mitigating this technique early significantly reduces attacker effectiveness, minimizes damage, and preserves organizational integrity and security posture.

Examples

Real-world scenarios and examples of attackers leveraging Network Logon Script (T1037.003):

• FIN7 Group:

  • Attackers associated with FIN7 have been known to modify or insert malicious scripts within AD logon scripts to deploy malware such as Carbanak and Cobalt Strike payloads.

  • Scripts executed at logon enabled FIN7 to maintain persistence, conduct lateral movement, and exfiltrate sensitive financial data from targeted organizations.

• APT32 (OceanLotus):

  • Leveraged compromised administrative credentials to modify existing network logon scripts, embedding PowerShell commands to execute malicious payloads on user endpoints.

  • Enabled persistent control and reconnaissance activities within victim networks, primarily targeting organizations in Southeast Asia.

• Ryuk Ransomware Attacks:

  • Attackers deploying Ryuk ransomware have manipulated logon scripts to propagate ransomware payloads across multiple endpoints simultaneously, rapidly encrypting enterprise environments and maximizing disruption.

• NotPetya Malware Incident:

  • Although NotPetya primarily leveraged other propagation methods, attackers have similarly used compromised logon scripts to rapidly propagate destructive malware across enterprise networks, causing massive operational disruption and financial loss.

In each scenario, attackers exploited network logon scripts due to their centralized location, ease of propagation, and ability to execute malicious commands at scale, underscoring the importance of monitoring, detecting, and securing logon scripts within enterprise environments.