TIARAS - T1037.001: Logon Script (Windows)

MITRE ATT&CK Technique

Persistence T1037.001

Description

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts) Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Supported Platforms

Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2020-01-10T03:43:37.211Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may use Windows logon scripts automatically '
                'executed at logon initialization to establish persistence. '
                'Windows allows logon scripts to be run whenever a specific '
                'user or group of users log into a system.(Citation: TechNet '
                'Logon Scripts) This is done via adding a path to a script to '
                'the <code>HKCU\\Environment\\UserInitMprLogonScript</code> '
                'Registry key.(Citation: Hexacorn Logon Scripts)\n'
                '\n'
                'Adversaries may use these scripts to maintain persistence on '
                'a single system. Depending on the access configuration of the '
                'logon scripts, either local credentials or an administrator '
                'account may be necessary. ',
 'external_references': [{'external_id': 'T1037.001',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1037/001'},
                         {'description': 'Hexacorn. (2014, November 14). '
                                         'Beyond good ol’ Run key, Part 18. '
                                         'Retrieved November 15, 2019.',
                          'source_name': 'Hexacorn Logon Scripts',
                          'url': 'http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/'},
                         {'description': 'Microsoft. (2005, January 21). '
                                         'Creating logon scripts. Retrieved '
                                         'April 27, 2016.',
                          'source_name': 'TechNet Logon Scripts',
                          'url': 'https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx'}],
 'id': 'attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'}],
 'modified': '2025-10-24T17:49:33.610Z',
 'name': 'Logon Script (Windows)',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.0'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (1)

Cobalt Group
High

Back to TTPs

Dashboard About