title: Logon Script (Windows) (T1037.001)
id: df00tech-t1037-001
status: experimental
description: "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript Registry key. Adversaries such as APT28, Cobalt Group, and malware families including Attor, JHUHUGIT, KGH_SPY, and Zebrocy have all leveraged this technique to maintain persistence on compromised systems."
references:
  - https://attack.mitre.org/techniques/T1037/001/
  - https://df00tech.com/detections/T1037.001
author: df00tech
date: 2026/04/16
tags:
  - attack.t1037.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Enterprise software that legitimately uses UserInitMprLogonScript for logon-time configuration (e.g., some VPN clients or network drive mapping tools)"
  - Group Policy or IT administration scripts that configure logon scripts via the registry for specific users
  - Security assessment or penetration testing tools running authorized tests on the environment
level: high