Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0072: Detect Logon Script Modifications and Execution

DET0072 is a MITRE detection strategy for finding modification or execution of Windows logon scripts associated with ATT&CK technique T1037.001, Logon Scri...

EnterpriseDET0072Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0072 is a MITRE detection strategy for finding modification or execution of Windows logon scripts associated with ATT&CK technique T1037.001, Logon Script (Windows). The business significance is persistence: if an attacker can cause code to run when a user logs on, access can survive reboots and routine user activity, complicating containment and recovery. Even though the detection strategy object itself has no official description, detection text, tactics, or platforms specified, its relationship to T1037.001 makes it relevant to Windows endpoint hardening, identity operations, SOC monitoring, and incident response readiness.

Executive priority

Prioritize this as a resilience and containment question: can the organization prove it can identify unauthorized changes to logon-script persistence points and respond before persistence spreads operationally? Security leaders should ask whether Windows endpoint telemetry, registry monitoring, and logon activity are retained and reviewable; whether SOC playbooks treat logon-script changes as persistence or privilege-escalation evidence; and whether audit evidence can show who changed relevant settings, when, and on which systems.

Technical view

Because the detection strategy has no official detection logic, defenders should scope validation from the related ATT&CK technique, T1037.001. Confirm visibility into Windows logon-script configuration changes, especially modifications involving the HKCU\Environment\UserInitMprLogonScript Registry key referenced in the related technique description, and correlate those changes with script execution at user logon. SOC and IR teams should validate whether alerts distinguish expected administrative or configuration-management activity from unusual per-user persistence changes, and whether affected user context, host, timestamp, registry path, and executed script path are captured for investigation.

Likely telemetry

  • Windows endpoint registry modification events for logon-script-related keys
  • User logon events and associated user/session context
  • Process creation or script execution telemetry at or shortly after logon
  • File creation or modification events for referenced script paths
  • Endpoint detection and response records that link registry changes, logon activity, and process execution

Detection direction

  • Validate that monitoring covers the related Windows technique even though the detection strategy object lists no platform or official detection text.
  • Alert or hunt for new, changed, or unusual values associated with HKCU\Environment\UserInitMprLogonScript, then correlate to subsequent logon-time execution.
  • Tune against known-good administrative logon scripts, software deployment activity, and configuration-management changes to reduce false positives without suppressing rare per-user changes.
  • Prioritize events where the modifying account, target user, host, or script path is unusual for the environment.
  • During incident response, treat confirmed unauthorized logon-script modification as possible persistence and review recent logons and script executions for the affected user and host.

Mitigation priorities

  • Establish an inventory or baseline of authorized Windows logon-script usage before relying on detections for high-confidence alerting.
  • Restrict who can modify user logon-script configuration and related registry locations according to least privilege.
  • Ensure endpoint telemetry retains registry, logon, process, and file evidence long enough to support investigation and compliance review.
  • Create SOC triage guidance that links logon-script modification to persistence and privilege-escalation investigation paths.
  • Review unauthorized changes during IR containment and remove unapproved persistence only after preserving necessary evidence.
Analyst notes and limits

This take is derived from MITRE ATT&CK detection strategy DET0072 and its supplied relationship to T1037.001, Logon Script (Windows). The most useful defensive interpretation comes from that relationship: Windows logon scripts can be used for persistence and are associated with persistence and privilege-escalation tactics in the related technique.

The DET0072 object provides no official description, no official detection logic, no tactics, and no platforms. Recommendations therefore stay at validation and telemetry-planning level and rely on the supplied relationship to T1037.001. Local environment baselines are required to determine what logon-script activity is authorized, suspicious, or actionable.

Official MITRE ATT&CK definition

Detect Logon Script Modifications and Execution

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1037.001 Logon Script (Windows) Sub-technique This object detects Logon Script (Windows).
Relationship explorer

All related ATT&CK context

detects · Technique T1037.001: Logon Script (Windows) Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ec16d8f3be999b3f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ec16d8f3be99…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0072
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use