| Name |
Run Software at Logon |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary. |
| Prerequisites |
|
| Solutions | Restrict write access to logon scripts to necessary administrators. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-284 |
Improper Access Control |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-542 |
An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1037.001 |
Boot or Logon Initialization Scripts:Logon Script (Windows) |
| 1037.002 |
Boot or Logon Initialization Scripts:Logon Script (Mac) |
| 1037.003 |
Boot or Logon Initialization Scripts:Network Logon Script |
| 1543.001 |
Create or Modify System Process:Launch Agent |
| 1547 |
Boot or Logon Autostart Execution |
|