Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0112: Boot or Logon Initialization Scripts Detection Strategy

This detection strategy matters because boot and logon initialization scripts are a common place for legitimate administration and adversary persistence to...

EnterpriseDET0112Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because boot and logon initialization scripts are a common place for legitimate administration and adversary persistence to overlap. The supplied ATT&CK relationship says DET0112 detects T1037, Boot or Logon Initialization Scripts, which is associated with persistence and privilege escalation across ESXi, Linux, macOS, and network devices. For leaders, the practical question is whether the organization can distinguish approved startup automation from unauthorized changes that could survive reboots or user logons.

Executive priority

Prioritize this as a resilience and incident-readiness control area where critical infrastructure, virtualization, Unix-like systems, macOS fleets, or network devices depend on startup scripts for normal operations. Executives should ask whether owners can produce evidence of authorized boot/logon scripts, whether changes are monitored, and whether IR teams can quickly identify persistence after a suspected compromise. This is also useful for compliance evidence because it tests change control, privileged access governance, and monitoring of persistence-prone configuration points.

Technical view

Because the ATT&CK object has no official detection text or specified platforms of its own, validation should be anchored to the related technique T1037. SOC and detection engineering teams should inventory boot/logon initialization mechanisms on supported related platforms: ESXi, Linux, macOS, and network devices. Focus on detecting creation, modification, permission changes, ownership changes, or unexpected execution of startup/logon scripts, especially when tied to privileged accounts or unusual parent processes. IR teams should include these locations in persistence triage and post-containment verification.

Likely telemetry

  • File creation, modification, deletion, ownership, and permission-change events for boot or logon script locations
  • Process execution telemetry showing scripts or interpreters launched during boot or user logon
  • Authentication and logon events correlated with script execution
  • Privileged account activity and administrative change records
  • Configuration change logs from ESXi, Linux, macOS, and network devices where available

Detection direction

  • Validate that monitoring covers both local and remotely applied initialization scripts where relevant to the environment.
  • Baseline approved administrative startup scripts and tune detections for deviations in path, owner, permissions, content, timing, or invoking account.
  • Correlate script changes with change tickets, privileged sessions, software deployments, and maintenance windows to reduce false positives.
  • Treat newly created or modified initialization scripts followed by reboot/logon execution as higher-priority persistence evidence.
  • Check blind spots on network devices, ESXi hosts, and non-standard Unix/macOS logging paths, where endpoint telemetry may be weaker than on standard workstations.

Mitigation priorities

  • Establish and maintain an inventory of approved boot and logon initialization scripts on in-scope platforms.
  • Restrict write access to startup/logon script locations to authorized administrators and managed deployment systems.
  • Require change control for modifications to initialization scripts, especially on privileged systems and network infrastructure.
  • Enable audit logging for script file changes, privileged administrative activity, and boot/logon execution evidence.
  • Include T1037-related script locations in incident response checklists, persistence eradication steps, and recovery validation.
Analyst notes and limits

The ATT&CK detection strategy object is sparse: it provides the name, external reference, and relationship to T1037, but no official description, detection logic, tactics, or platforms directly on DET0112. The practical interpretation therefore comes from the related technique context: persistence and privilege escalation using boot or logon initialization scripts on ESXi, Linux, macOS, and network devices.

This take does not assert active exploitation, specific adversary use, detection coverage, or guaranteed visibility. Local platform mix, logging configuration, endpoint coverage, network-device audit capability, and change-management maturity will determine whether this strategy is actionable in a given environment.

Official MITRE ATT&CK definition

Boot or Logon Initialization Scripts Detection Strategy

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1037 Boot or Logon Initialization Scripts This object detects Boot or Logon Initialization Scripts.
Relationship explorer

All related ATT&CK context

detects · Technique T1037: Boot or Logon Initialization Scripts Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7b34478dcd4c1092...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7b34478dcd4c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0112
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use