Logon Triggered

MITRE ATT&CK™ Boot or Logon Autostart Execution - Technique T1547

Theory

It's sometime usefull to know how to plant payloads that will get executed when a user logs into the system !

Practice

We can put executable in each user's folder:

C:\Users\<your_username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

If we want to force all users to run a payload while logging in, we can use the folder under:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

One of the things userinit.exe does while loading your user profile is to check for an environment variable called UserInitMprLogonScript. We can use this environment variable to assign a logon script to a user that will get run when logging into the machine.

reg add "HKCU\Environment" /v UserInitMprLogonScript /d "C:\Windows\shell.exe" /f

Last updated 8 months ago