Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1037.001: Logon Script (Windows)

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.[1] This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.[2]

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

EnterpriseT1037.001Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Windows logon scripts matter because they run automatically when a user signs in, making them a practical persistence point on Windows endpoints. A change to the HKCU\Environment\UserInitMprLogonScript registry value can cause a script to run at logon for a specific user context, so defenders should treat unexpected changes there as a resilience and incident-response concern, not just a workstation configuration issue.

Executive priority

Prioritize this as a Windows persistence and potential privilege-escalation control validation item. Leaders should ask whether endpoint monitoring and registry-change auditing can show who changed logon script configuration, when it changed, and what executed afterward. This is especially relevant for incident scoping, audit evidence around endpoint hardening, and ensuring registry permissions are not loose enough to allow unauthorized persistence.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring around modifications to HKCU\Environment\UserInitMprLogonScript and subsequent script execution at user logon. ATT&CK provides no official detection text for this sub-technique, but the related detection strategy DET0072 is specifically named for detecting logon script modifications and execution. Because the behavior is Windows-only in the supplied object, coverage validation should focus on Windows registry telemetry, process/script execution telemetry, user logon context, and permission review for the relevant registry location.

Likely telemetry

  • Windows registry modification events for HKCU\Environment\UserInitMprLogonScript
  • User logon events tied to the account whose logon script setting changed
  • Process and script execution events occurring immediately after logon
  • Endpoint security or EDR records showing parent/child process relationships for logon-time execution
  • Registry permission and access-control evidence for sensitive keys

Detection direction

  • Build or validate detections for creation or modification of HKCU\Environment\UserInitMprLogonScript.
  • Correlate registry changes with later script execution during the same user’s logon session.
  • Tune for legitimate administrative logon script use; baseline known managed scripts and approved administrators before treating all changes as malicious.
  • During investigations, scope by user profile and endpoint because the ATT&CK description notes this can maintain persistence on a single system.
  • Use relationship context from DET0072 as the defensive direction: monitor both logon script modification and execution, not only one side of the behavior.

Mitigation priorities

  • Review and restrict registry permissions on sensitive keys, consistent with related mitigation M1024.
  • Limit who can modify logon script configuration and validate that administrative access is required where expected.
  • Periodically audit relevant registry values for unauthorized or unexpected script paths.
  • Preserve evidence of registry ACLs, approved configuration, and change history for compliance and incident-response readiness.
Analyst notes and limits

This sub-technique is part of Boot or Logon Initialization Scripts and is scoped here to Windows. Relationship context shows use by APT28, Cobalt Group, and several Windows malware/software entries, which supports treating the behavior as a known adversary persistence pattern, but it should not be interpreted as evidence of activity in any specific environment.

The official ATT&CK object does not provide detection text, and the supplied mitigation detail is general registry-permission hardening. Local baselines are required to distinguish legitimate administrative logon scripts from suspicious persistence. No claims can be made here about active exploitation, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Logon Script (Windows)

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.[1] This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.[2]

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1037 Boot or Logon Initialization Scripts This object subtechnique of Boot or Logon Initialization Scripts.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Group Enterprise

G0080: Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[1][2][3][4][5][6][7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[8]

Malware Enterprise

S0438: Attor

Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.[1]

Windows
Malware Enterprise

S0526: KGH_SPY

KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor capabilities. KGH_SPY derived its name from PDB paths and internal names found in samples containing "KGH".[1]

Windows
Malware Enterprise

S0251: Zebrocy

Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. [1][2][3][4]

Windows
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1024: Restrict Registry Permissions Enterprise uses · Group G0007: APT28 Enterprise subtechnique of · Technique T1037: Boot or Logon Initialization Scripts Enterprise uses · Malware S0438: Attor Enterprise uses · Malware S0044: JHUHUGIT Enterprise uses · Malware S0526: KGH_SPY Enterprise uses · Malware S0251: Zebrocy Enterprise detects · Detection Strategy DET0072: Detect Logon Script Modifications and Execution Enterprise uses · Group G0080: Cobalt Group Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1024: Restrict Registry Permissions

Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures:

Review and Adjust Permissions on Critical Keys

- Regularly review permissions on keys such as `Run`, `RunOnce`, and `Services` to ensure only authorized users have write access. - Use tools like `icacls` or `PowerShell` to automate permission adjustments.

Enable Registry Auditing

- Enable auditing on sensitive keys to log access attempts. - Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity. - Example Audit Policy: `auditpol /set /subcategory:"Registry" /success:enable /failure:enable`

Protect Credential-Related Hives

- Limit access to hives like `SAM`,`SECURITY`, and `SYSTEM` to prevent credential dumping or other unauthorized access. - Use LSA Protection to add an additional security layer for credential storage.

Restrict Registry Editor Usage

- Use Group Policy to restrict access to regedit.exe for non-administrative users. - Block execution of registry editing tools on endpoints where they are unnecessary.

Deploy Baseline Configuration Tools

- Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.

*Tools for Implementation*

Registry Permission Tools:

- Registry Editor (regedit): Built-in tool to manage registry permissions. - PowerShell: Automate permissions and manage keys. `Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value"` - icacls: Command-line tool to modify ACLs.

Monitoring Tools:

- Sysmon: Monitor and log registry events. - Event Viewer: View registry access logs.

Policy Management Tools:

- Group Policy Management Console (GPMC): Enforce registry permissions via GPOs. - Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6aeff934ea6dcd22...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6aeff934ea6d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TechNet Logon Scripts

    Microsoft. (2005, January 21). Creating logon scripts. Retrieved April 27, 2016.

    Open source URL
  2. [2]
    Hexacorn Logon Scripts

    Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part 18. Retrieved November 15, 2019.

    Open source URL
  3. [3]
    mitre-attack T1037.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use