Home > CAPEC List > CAPEC-564: Run Software at Logon (Version 2.10)  

CAPEC-564: Run Software at Logon

 
Run Software at Logon
Definition in a New Window Definition in a New Window
Attack Pattern ID: 564
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.

+ Solutions and Mitigations

Restrict write access to logon scripts to necessary administrators.

+ References
[R.564.1] ATT&CK Project. "Logon scripts (1037)". MITRE. <https://attack.mitre.org/wiki/Logon_scripts>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2015-11-09Internal_CAPEC_Team
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017