{
  "type": "attack-pattern",
  "spec_version": "2.1",
  "id": "attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3",
  "created": "2020-01-10T03:43:37.211Z",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "revoked": false,
  "external_references": [
    {
      "source_name": "mitre-attack",
      "url": "https://attack.mitre.org/techniques/T1037/001",
      "external_id": "T1037.001"
    },
    {
      "source_name": "Hexacorn Logon Scripts",
      "description": "Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part 18. Retrieved November 15, 2019.",
      "url": "http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/"
    },
    {
      "source_name": "TechNet Logon Scripts",
      "description": "Microsoft. (2005, January 21). Creating logon scripts. Retrieved April 27, 2016.",
      "url": "https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx"
    }
  ],
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "modified": "2025-10-24T17:49:33.610Z",
  "name": "Logon Script (Windows)",
  "description": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\\Environment\\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. ",
  "kill_chain_phases": [
    {
      "kill_chain_name": "mitre-attack",
      "phase_name": "persistence"
    },
    {
      "kill_chain_name": "mitre-attack",
      "phase_name": "privilege-escalation"
    }
  ],
  "x_mitre_attack_spec_version": "3.2.0",
  "x_mitre_deprecated": false,
  "x_mitre_domains": [
    "enterprise-attack"
  ],
  "x_mitre_is_subtechnique": true,
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_platforms": [
    "Windows"
  ],
  "x_mitre_version": "1.0"
}