📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page
  • Windows
  • Mac

Was this helpful?

  1. Persistence

Logon Scripts

ID: T1037 Tactic: Lateral Movement, Persistence

PreviousHookingNextModify Existing Service

Last updated 5 years ago

Was this helpful?

Windows

Windows allows logon scripts to be run whenever a specific user or group of users log into a system. The Scripts can be used to perform administrative funtions, which may often execute other programs or send information to an internal logging server.

If adversaries can access these scripts, they may insert additional code into the logon script to execute their tools when a suer logs in. This code can allow them to maintain persistence on a single system, if it is a local script, or to move laterally within a network, if the script is stored on a central server and pushed to many systems. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Mac

Mac allows login and logoff hooks to be run as root whenever a specific user logs into or out of a system. A login hook tell Mac OS X to execute a certain script when a user logs in, but unlike startup items, a login hook executes as root. There can only be one login hook at a time though. If adversaries can access these scripts, they can insert additional code to the script to execute their tools when a user logs in.

In this example we will use a Windows 10 Machine, something easy I will create a bat file that will run and execute the Calculator every time the user logs in.

I will use the following command on the command prompt and the bat file's content will be this:

These require to have elevated permissions such as root or admin

schtasks /create /sc onlogon /tn "task-name" /tr "File or App PATH" /RU  "username" 

Attack executed:

With this logon script we can do much more such as capture an Empire stager, Enumerate, Dump credentials, and create a persistence that will call back to us every time a specific user log's in more examples can be done. We can modify Registry Keys that also act upon logon.

More examples can be found here:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.mdgithub.com