title: Network Logon Script (T1037.003)
id: df00tech-t1037-003
status: experimental
description: "Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary."
references:
  - https://attack.mitre.org/techniques/T1037/003/
  - https://df00tech.com/detections/T1037.003
author: df00tech
date: 2026/04/16
tags:
  - attack.t1037.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators legitimately deploying or updating logon scripts via Group Policy or AD Users and Computers for software deployment or environment configuration
  - SCCM/Intune or other endpoint management platforms that modify SYSVOL/NETLOGON share contents as part of normal GPO operations
  - Automated provisioning systems that set the scriptPath attribute on new user accounts during onboarding workflows
  - "Domain controllers replicating SYSVOL content via DFS-R or FRS, which generates file creation/modification events in the SYSVOL path"
level: high