Logon Scripts via UserInitMprLogonScript

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/19

Modification Date

2020/10/19

Tactics

TA0003

Techniques

T1037.001

Tags

art.d6042746-07d4-4c92-9ad8-e644c114a231

Dataset Description

This dataset represents adversaries leveraging logon initialization scripts to achieve persistence via the UserInitMprLogonScript user environment.

Simulation Metadata

Tools

type

Name

Module

Manual

Cmd

Cmd

Adversary View

Microsoft Windows [Version 10.0.18363.1139]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Users\wardog>echo "echo Art Logon Script atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt" > %temp%\art.bat

C:\Users\wardog>REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d %temp%\art.bat /f
The operation completed successfully.

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/cmd_userinitmprlogonscript_batch.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)