AN1034: Analytic 1034

Correlates Group Policy updates that configure network logon scripts with subsequent remote file execution behaviors triggered by user logons to identify potential persistence or execution chains tied to adversarial manipulation of logon scripts.

EnterpriseAN1034AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

Analytic 1034 matters because Windows Group Policy logon scripts can turn normal user sign-in activity into a repeatable execution path. For leaders, the risk is not just a script running; it is that a change to centralized policy can create persistence or widespread execution across users who log on afterward. This makes the behavior important for identity governance, Windows endpoint monitoring, incident response scoping, and audit evidence around administrative change control.

Executive priority

Prioritize this as a control-validation question: can the organization see when Group Policy is changed to configure network logon scripts, and can it connect that change to later remote file execution during user logons? If not, responders may miss a persistence mechanism that is centrally managed and potentially broad in reach. Security leaders should confirm ownership of Group Policy change review, endpoint telemetry retention, and SOC procedures for correlating policy updates with subsequent logon-time execution.

Technical view

For Windows environments, validate the ability to correlate two evidence streams: Group Policy updates that configure network logon scripts, and later remote file execution behaviors triggered by user logons. Because no official detection logic is provided, teams should treat this analytic as a detection design pattern rather than a ready-made rule. SOC and IR teams should test whether they can identify the relevant Group Policy change, determine affected users or systems, and trace execution activity occurring at logon from network locations.

Likely telemetry

Windows Group Policy change or configuration audit data
Directory or policy administration logs showing who changed logon script settings
Endpoint process execution telemetry around user logon time
File access or execution telemetry for scripts or binaries launched from network paths
User logon events to correlate policy application and execution timing

Detection direction

Validate correlation between policy modification time, affected scope, user logon events, and remote file execution.
Tune for administrative baselines: legitimate logon scripts are common in some Windows environments, so detection should emphasize new, changed, unusual, or poorly governed script paths rather than any logon script use.
Confirm whether the SOC can distinguish expected enterprise logon automation from suspicious remote execution following a recent Group Policy update.
Review blind spots where Group Policy auditing, endpoint process telemetry, network share logging, or logon event retention is incomplete.
Use the analytic as an investigation trigger for persistence or execution chains, not as standalone proof of malicious activity.

Mitigation priorities

Maintain governance over Group Policy changes, including approval, review, and accountability for logon script configuration.
Restrict who can modify Group Policy objects that affect user logon behavior.
Inventory legitimate logon scripts and expected network paths so deviations can be assessed quickly.
Ensure Windows endpoint, logon, and policy-change telemetry is retained long enough to support correlation during incident response.
Periodically test detection and response workflows by confirming analysts can trace a Group Policy logon script change to subsequent user logon execution activity.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows and describes correlation of Group Policy logon script updates with later remote file execution at user logon. No tactics, relationships, aliases, or official detection logic were supplied, so this take focuses on defensive validation and operational questions rather than specific rule syntax or adversary behavior.

This assessment is limited to the supplied official STIX fields, external reference, and empty relationship context. It does not establish active exploitation, attribution, prevalence, impact, or guaranteed detection coverage. Local Group Policy design, logging configuration, administrative practices, and endpoint telemetry quality are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Analytic 1034

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 4c1a5d4b3c87fc21...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`4c1a5d4b3c87…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1034
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use