T1037: Boot or Logon Initialization Scripts

Boot or logon initialization scripts matter because they turn normal startup and sign-in automation into a persistence and possible privilege-escalation path. For leaders, the risk is not just one compromised host: on Windows, macOS, Linux, ESXi, and network devices, trusted boot/logon mechanisms can allow unauthorized code to reappear after reboot or user logon and may run with elevated privileges depending on configuration.

Executive priority

Prioritize this technique where startup and logon automation affects critical servers, virtualization infrastructure, network devices, administrator workstations, or broadly applied enterprise policy. The key business question is whether the organization can prove who is allowed to modify boot/logon scripts, registry locations, startup items, and related directories, and whether changes are monitored well enough to support incident response and compliance evidence.

Technical view

SOC and IR teams should validate coverage across the parent technique and its sub-techniques: Windows local and network logon scripts, macOS login hooks and startup items, and Unix-like RC scripts on Linux, macOS, ESXi, and network devices. ATT&CK does not provide official detection text for T1037, but a related detection strategy, DET0112, exists. Detection engineering should focus on unauthorized creation or modification of startup/logon execution points, suspicious script or binary paths referenced from those locations, and changes made by unexpected users, processes, or management channels. Relationship context also shows use by multiple groups, a campaign, and software, so this should be treated as a persistence control-validation area rather than a niche host artifact.

Likely telemetry

File creation, modification, ownership, and permission-change events for boot/logon script locations and startup directories
Windows registry modification events for logon script-related keys where applicable
Active Directory and Group Policy change records for network logon scripts where applicable
macOS plist and login/startup configuration changes
Linux, ESXi, and network device startup script or RC script file-change logs

Detection direction

Baseline legitimate administrative boot and logon automation before alerting broadly; these mechanisms are commonly used for normal administration.
Alert on new or changed script paths, unexpected executable references, or permission changes in sensitive startup/logon locations.
Correlate modification events with the modifying account, source host, management tool, and subsequent boot/logon execution.
For Windows environments, include both local logon script registry locations and centrally assigned network logon scripts through directory or policy changes.
For macOS, Linux, ESXi, and network devices, validate that file integrity or configuration monitoring actually covers startup and RC-style locations, not only userland application paths.

Mitigation priorities

Restrict file and directory permissions on sensitive boot, logon, startup, and RC script locations so only authorized administrators or trusted management processes can modify them.
Restrict registry permissions on sensitive Windows logon-related keys where applicable.
Apply least privilege to accounts that can configure local or network logon scripts, startup items, and boot-time execution mechanisms.
Review broadly applied logon scripts and policy-based startup mechanisms for unnecessary write access or legacy entries.
Use change control and configuration monitoring so authorized administrative changes can be distinguished from suspicious persistence activity.

Analyst notes and limits

This object is a parent ATT&CK technique for persistence and privilege escalation across ESXi, Linux, macOS, network devices, and Windows. The relationship set provides useful scoping through sub-techniques and mitigations M1022 and M1024. ATT&CK also relates the technique to DET0112 and to several groups, software entries, and a campaign; those relationships support defensive prioritization but should not be read as proof of current activity in any specific environment.

Official detection text was not supplied for T1037, so detection guidance is inferred from the technique description, platforms, tactics, sub-techniques, and related mitigation/detection objects. Local script locations, policy mechanisms, logging depth, and normal administrative behavior vary by platform and organization; teams must confirm actual telemetry collection and control ownership before assessing coverage.

Official MITRE ATT&CK definition

Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.[1][2] Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 5 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1037.004	RC Scripts Sub-technique	RC Scripts subtechnique of this object.
Enterprise	T1037.001	Logon Script (Windows) Sub-technique	Logon Script (Windows) subtechnique of this object.
Enterprise	T1037.003	Network Logon Script Sub-technique	Network Logon Script subtechnique of this object.
Enterprise	T1037.005	Startup Items Sub-technique	Startup Items subtechnique of this object.
Enterprise	T1037.002	Login Hook Sub-technique	Login Hook subtechnique of this object.

Associated objects

Groups, software, and campaigns

G0096: APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

G0106: Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]

G1048: UNC3886

UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]

S9024: SPAWNCHIMERA

SPAWNCHIMERA is a backdoor that supports command and control and can inject malicious components into native processes.[1][2][3] SPAWNCHIMERA It incorporates capabilities from multiple tools within the SPAWN malware family, including SPAWNANT, SPAWNMOLE, and SPAWNSNAIL.[4][2][3] SPAWNCHIMERA was first reported in April 2024.[2] SPAWNCHIMERA has been observed in activity attributed to People's Republic of China (PRC) state-sponsored threat actors, including UNC5221..[4][5][2][6]

LinuxNetwork Devices

S1078: RotaJakiro

RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (`root` or `user`).[1][2]

Linux

S1217: VIRTUALPITA

VIRTUALPITA is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. VIRTUALPITA has been in use since at least 2022 including by UNC3886 who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.[1]

ESXiLinux

C0046: ArcaneDoor

ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.[1][2]

Relationship explorer

All related ATT&CK context

uses · Campaign C0046: ArcaneDoor Enterprise subtechnique of · Technique T1037.004: RC Scripts Enterprise subtechnique of · Technique T1037.001: Logon Script (Windows) Enterprise uses · Malware S9024: SPAWNCHIMERA Enterprise uses · Group G0096: APT41 Enterprise uses · Group G0016: APT29 Enterprise uses · Malware S1078: RotaJakiro Enterprise uses · Group G0106: Rocke Enterprise subtechnique of · Technique T1037.003: Network Logon Script Enterprise subtechnique of · Technique T1037.005: Startup Items Enterprise uses · Malware S1217: VIRTUALPITA Enterprise mitigates · Mitigation M1024: Restrict Registry Permissions Enterprise uses · Group G1048: UNC3886 Enterprise subtechnique of · Technique T1037.002: Login Hook Enterprise mitigates · Mitigation M1022: Restrict File and Directory Permissions Enterprise detects · Detection Strategy DET0112: Boot or Logon Initialization Scripts Detection Strategy Enterprise

Mitigations

Mitigation direction

M1024: Restrict Registry Permissions

Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures:

Review and Adjust Permissions on Critical Keys

- Regularly review permissions on keys such as `Run`, `RunOnce`, and `Services` to ensure only authorized users have write access. - Use tools like `icacls` or `PowerShell` to automate permission adjustments.

Enable Registry Auditing

- Enable auditing on sensitive keys to log access attempts. - Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity. - Example Audit Policy: `auditpol /set /subcategory:"Registry" /success:enable /failure:enable`

Protect Credential-Related Hives

- Limit access to hives like `SAM`,`SECURITY`, and `SYSTEM` to prevent credential dumping or other unauthorized access. - Use LSA Protection to add an additional security layer for credential storage.

Restrict Registry Editor Usage

- Use Group Policy to restrict access to regedit.exe for non-administrative users. - Block execution of registry editing tools on endpoints where they are unnecessary.

Deploy Baseline Configuration Tools

- Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.

*Tools for Implementation*

Registry Permission Tools:

- Registry Editor (regedit): Built-in tool to manage registry permissions. - PowerShell: Automate permissions and manage keys. `Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value"` - icacls: Command-line tool to modify ACLs.

Monitoring Tools:

- Sysmon: Monitor and log registry events. - Event Viewer: View registry access logs.

Policy Management Tools:

- Group Policy Management Console (GPMC): Enforce registry permissions via GPOs. - Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.

M1022: Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.

On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`

File Integrity Monitoring (FIM):

- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.

Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.

- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.4
Created: May 31, 2017, 21:30 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: bd4dc3366bd28863...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.4	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`bd4dc3366bd2…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Mandiant APT29 Eye Spy Email Nov 22

Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
Open source URL
[2]
Anomali Rocke March 2019

Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
Open source URL
[3]
mitre-attack T1037
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams