DET0367: Detect Network Logon Script Abuse via Multi-Event Correlation on Windows
DET0367 is a detection strategy for identifying abuse of Windows network logon scripts through multi-event correlation. The business issue is persistence:...
Analyst context for executives and security teams
DET0367 is a detection strategy for identifying abuse of Windows network logon scripts through multi-event correlation. The business issue is persistence: if logon scripts assigned through Active Directory or Group Policy are altered or abused, code may run automatically when users log on, potentially affecting many systems depending on how broadly the script is assigned.
Executive priority
Treat this as an identity and Windows operations control point, not just an endpoint alert. Leaders should ask whether the organization can prove who changed logon script assignments, where those scripts execute, which users or systems are in scope, and whether SOC/IR teams can rapidly distinguish authorized administration from persistence activity. This supports resilience, audit evidence, and incident scoping for Active Directory and Group Policy-controlled environments.
Technical view
This strategy detects T1037.003 Network Logon Script, associated with persistence and privilege escalation on Windows. Because the object provides no official detection logic, validation should focus on correlating multiple evidence sources around logon script assignment, script content/location changes, and execution during user logon. SOC teams should baseline legitimate administrative changes and expected logon script behavior, then test whether changes in Active Directory or Group Policy can be linked to subsequent script execution under assigned user privileges.
Likely telemetry
- Active Directory or Group Policy change records related to network logon script assignment
- Windows logon activity showing affected users and systems
- Script file creation, modification, or access events for configured logon script locations
- Process execution telemetry showing scripts or child processes launched during logon initialization
- Administrative account activity tied to changes in logon script configuration
Detection direction
- Validate that correlation spans configuration change, logon event, and script execution rather than relying on a single alert source.
- Tune for authorized administrative activity, scheduled maintenance, and known enterprise logon scripts to reduce false positives.
- Prioritize unusual changes affecting many users or systems, because the related technique notes that scripts may apply broadly depending on assignment.
- Confirm visibility into both the control plane used to assign scripts and the endpoints where scripts execute.
- Document blind spots where Group Policy, Active Directory, endpoint process, or script file telemetry is missing.
Mitigation priorities
- Establish ownership and change-control expectations for network logon scripts and Group Policy objects that assign them.
- Limit who can modify logon script assignments and script storage locations using least privilege.
- Maintain an approved inventory or baseline of expected logon scripts and their intended scope.
- Ensure incident response playbooks include rapid review of recent logon script and GPO changes when persistence is suspected.
- Use detection validation results as compliance evidence for monitoring of privileged administrative changes.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description or detection text. The strongest context comes from its relationship to T1037.003 Network Logon Script, which describes Active Directory or Group Policy-assigned scripts executing at logon with assigned user privileges.
This take does not assert active exploitation, attribution, or existing detection coverage. Local validation is required to determine actual log sources, normal administrative patterns, and whether the organization uses network logon scripts.
Detect Network Logon Script Abuse via Multi-Event Correlation on Windows
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1037.003 | Network Logon Script Sub-technique | This object detects Network Logon Script. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 600092b5bdde… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0367Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.