TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Backdoors & Breaches: Logon Scripts

BHIS · 2020-04-06 · Read original ↗

ATT&CK techniques detected

4 predictions
T1547.001Registry Run Keys / Startup Folder
100%
“##version \ runonce - hkey _ local _ machine \ software \ microsoft \ windows \ currentversion \ runonceex in fact, there are many other options for execution and a comprehensive treatment can be found at https : / / attack. mitre. org / techniques / t1060 /. if an attacker is ab…”
T1547.001Registry Run Keys / Startup Folder
99%
“execution during user session initialization. so, what techniques might an attacker try to obtain authentication - based execution? - modification of registry keys - local filesystem - based automated execution - default domain logon script modification - group policy modificatio…”
T1484.001Group Policy Modification
83%
“script has been prescribed. where write access is not allowed, the attacker can trace execution to determine whether additional scripts or binaries are called by the initial script and evaluate ntfs permissions in those locations. as a result, the organization must periodically e…”
T1484.001Group Policy Modification
53%
“a similar condition arises when the attacker has control of a user with the ability to modify attributes of objects within the active directory schema. in the context of this post, the object type would be users. this vector is similar to the previous one. however, instead of mod…”

Summary

David Fletcher // This blog post discusses the relevance and techniques involved in logon script abuse. While the Backdoors & Breaches card is featured for this topic, the post will […]

The post Backdoors & Breaches: Logon Scripts appeared first on Black Hills Information Security, Inc..