Logon Scripts

Overview

• Key Location: It's important to clarify that the typical way to set logon scripts for persistence through the registry involves manipulating environment variables or directly setting scripts in Group Policy Objects (GPOs). However, for local user logon scripts without using GPOs, scripts can be specified through the following registry key:

  • HKCU\Environment

    • Here, the UserInitMprLogonScript variable (if specifically mentioned) or other custom variables might be used to specify scripts. However, this specific key (UserInitMprLogonScript) is not a standard Windows environment variable used for logon scripts. Instead, logon scripts are commonly configured via:

      • Group Policy: User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)

      • Local Group Policy Editor for individual systems without a domain.

• Purpose and Use: Logon scripts can run batch files, PowerShell scripts, or other executable files. Administrators use them to automate repetitive tasks needed upon user login, such as setting up the user environment, launching applications, or updating software.

Abuse by Threat Actors

• Persistence Mechanism: By inserting a path to a malicious script or executable into the registry to be run at logon, threat actors ensure their payload is executed every time the victim logs on. This can be done by adding a new environment variable that points to a malicious script or by modifying existing variables or policies intended for legitimate logon scripts.

• Stealth: Since logon scripts are a legitimate part of many enterprise environments, the use of this mechanism by malware can sometimes evade detection by blending in with normal administrative activities.

Detection and Mitigation

• Monitoring and Auditing: Regularly monitor and audit the HKCU\Environment registry key and Group Policy settings for unauthorized changes. Look for unexpected or unknown scripts set to execute at logon.

• Security Solutions: Use endpoint security solutions that can detect and alert on modifications to registry keys associated with persistence mechanisms. These solutions can often correlate such changes with other suspicious behavior on the system.

• Education and Policies: Educate administrators and users about the risks associated with logon scripts and enforce policies that restrict who can modify logon script settings.

Example of a Suspicious Entry

A hypothetical example of a suspicious registry entry using a different variable for logon scripts might look like:

[HKEY_CURRENT_USER\Environment]
"MyCustomLogonScript"="C:\\Windows\\Temp\\malicious_script.ps1"

Here, MyCustomLogonScript is a made-up variable name that points to a PowerShell script located in a directory commonly used by malware for temporary storage. Real attacks might use more subtly named variables and scripts located in less obvious paths.

Conclusion

While logon scripts are a valid and useful feature for system administration, their misuse for persistence highlights the need for vigilance and robust security practices. Organizations should monitor relevant registry keys and Group Policy settings for unauthorized modifications and employ layered security measures to detect and prevent malicious activity.