Esc
Boot or Logon Initialization Scripts - T1037
(ATT&CK® Technique)
Definition
Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1037["Boot or Logon Initialization Scripts"] --> |modifies| SystemStartupDirectory["System Startup Directory"]; class T1037 OffensiveTechniqueNode; class SystemStartupDirectory ArtifactNode; click SystemStartupDirectory href "/dao/artifact/d3f:SystemStartupDirectory"; click T1037 href "/offensive-technique/attack/T1037/"; click SystemStartupDirectory href "/dao/artifact/d3f:SystemStartupDirectory"; T1037["Boot or Logon Initialization Scripts"] --> |modifies| SystemInitScript["System Init Script"]; class T1037 OffensiveTechniqueNode; class SystemInitScript ArtifactNode; click SystemInitScript href "/dao/artifact/d3f:SystemInitScript"; click T1037 href "/offensive-technique/attack/T1037/"; click SystemInitScript href "/dao/artifact/d3f:SystemInitScript"; T1037["Boot or Logon Initialization Scripts"] --> |modifies| UserInitScript["User Init Script"]; class T1037 OffensiveTechniqueNode; class UserInitScript ArtifactNode; click UserInitScript href "/dao/artifact/d3f:UserInitScript"; click T1037 href "/offensive-technique/attack/T1037/"; click UserInitScript href "/dao/artifact/d3f:UserInitScript"; T1037["Boot or Logon Initialization Scripts"] --> |modifies| NetworkInitScriptFileResource["Network Init Script File Resource"]; class T1037 OffensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click NetworkInitScriptFileResource href "/dao/artifact/d3f:NetworkInitScriptFileResource"; click T1037 href "/offensive-technique/attack/T1037/"; click NetworkInitScriptFileResource href "/dao/artifact/d3f:NetworkInitScriptFileResource"; DecoyFile["Decoy File"] --> | spoofs | NetworkInitScriptFileResource["Network Init Script File Resource"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1037["Boot or Logon Initialization Scripts"] ; class DecoyFile DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | SystemInitScript["System Init Script"]; class DecoyFile DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | UserInitScript["User Init Script"]; class DecoyFile DefensiveTechniqueNode; class UserInitScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyNetworkResource["Decoy Network Resource"] --> | spoofs | NetworkInitScriptFileResource["Network Init Script File Resource"]; DecoyNetworkResource["Decoy Network Resource"] -.-> | may-deceive | T1037["Boot or Logon Initialization Scripts"] ; class DecoyNetworkResource DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click DecoyNetworkResource href "/technique/d3f:DecoyNetworkResource"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | NetworkInitScriptFileResource["Network Init Script File Resource"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | may-detect | T1037["Boot or Logon Initialization Scripts"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | SystemInitScript["System Init Script"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | UserInitScript["User Init Script"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class UserInitScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | NetworkInitScriptFileResource["Network Init Script File Resource"]; DynamicAnalysis["Dynamic Analysis"] -.-> | may-detect | T1037["Boot or Logon Initialization Scripts"] ; class DynamicAnalysis DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | SystemInitScript["System Init Script"]; class DynamicAnalysis DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | UserInitScript["User Init Script"]; class DynamicAnalysis DefensiveTechniqueNode; class UserInitScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | UserInitScript["User Init Script"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1037["Boot or Logon Initialization Scripts"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class UserInitScript ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | NetworkInitScriptFileResource["Network Init Script File Resource"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | SystemInitScript["System Init Script"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | SystemInitScript["System Init Script"]; FileEviction["File Eviction"] -.-> | may-evict | T1037["Boot or Logon Initialization Scripts"] ; class FileEviction DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | UserInitScript["User Init Script"]; class FileEviction DefensiveTechniqueNode; class UserInitScript ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | NetworkInitScriptFileResource["Network Init Script File Resource"]; class FileEviction DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] --> | encrypts | UserInitScript["User Init Script"]; FileEncryption["File Encryption"] -.-> | may-harden | T1037["Boot or Logon Initialization Scripts"] ; class FileEncryption DefensiveTechniqueNode; class UserInitScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | NetworkInitScriptFileResource["Network Init Script File Resource"]; class FileEncryption DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | SystemInitScript["System Init Script"]; class FileEncryption DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; ContentModification["Content Modification"] --> | modifies | NetworkInitScriptFileResource["Network Init Script File Resource"]; ContentModification["Content Modification"] -.-> | may-isolate | T1037["Boot or Logon Initialization Scripts"] ; class ContentModification DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click ContentModification href "/technique/d3f:ContentModification"; ContentModification["Content Modification"] --> | modifies | SystemInitScript["System Init Script"]; class ContentModification DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click ContentModification href "/technique/d3f:ContentModification"; ContentModification["Content Modification"] --> | modifies | UserInitScript["User Init Script"]; class ContentModification DefensiveTechniqueNode; class UserInitScript ArtifactNode; click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] --> | quarantines | NetworkInitScriptFileResource["Network Init Script File Resource"]; ContentQuarantine["Content Quarantine"] -.-> | may-isolate | T1037["Boot or Logon Initialization Scripts"] ; class ContentQuarantine DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentQuarantine["Content Quarantine"] --> | quarantines | SystemInitScript["System Init Script"]; class ContentQuarantine DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentQuarantine["Content Quarantine"] --> | quarantines | UserInitScript["User Init Script"]; class ContentQuarantine DefensiveTechniqueNode; class UserInitScript ArtifactNode; click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | SystemInitScript["System Init Script"]; ExecutableDenylisting["Executable Denylisting"] -.-> | may-isolate | T1037["Boot or Logon Initialization Scripts"] ; class ExecutableDenylisting DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | UserInitScript["User Init Script"]; class ExecutableDenylisting DefensiveTechniqueNode; class UserInitScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | NetworkInitScriptFileResource["Network Init Script File Resource"]; class ExecutableDenylisting DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | NetworkInitScriptFileResource["Network Init Script File Resource"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | may-isolate | T1037["Boot or Logon Initialization Scripts"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | UserInitScript["User Init Script"]; class ExecutableAllowlisting DefensiveTechniqueNode; class UserInitScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | SystemInitScript["System Init Script"]; class ExecutableAllowlisting DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; NetworkResourceAccessMediation["Network Resource Access Mediation"] --> | isolates | NetworkInitScriptFileResource["Network Init Script File Resource"]; NetworkResourceAccessMediation["Network Resource Access Mediation"] -.-> | may-isolate | T1037["Boot or Logon Initialization Scripts"] ; class NetworkResourceAccessMediation DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click NetworkResourceAccessMediation href "/technique/d3f:NetworkResourceAccessMediation"; LocalFilePermissions["Local File Permissions"] --> | restricts | SystemInitScript["System Init Script"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1037["Boot or Logon Initialization Scripts"] ; class LocalFilePermissions DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | SystemStartupDirectory["System Startup Directory"]; class LocalFilePermissions DefensiveTechniqueNode; class SystemStartupDirectory ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | UserInitScript["User Init Script"]; class LocalFilePermissions DefensiveTechniqueNode; class UserInitScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | NetworkInitScriptFileResource["Network Init Script File Resource"]; class LocalFilePermissions DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemStartupDirectory["System Startup Directory"]; RestoreConfiguration["Restore Configuration"] -.-> | may-restore | T1037["Boot or Logon Initialization Scripts"] ; class RestoreConfiguration DefensiveTechniqueNode; class SystemStartupDirectory ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemInitScript["System Init Script"]; class RestoreConfiguration DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] --> | restores | UserInitScript["User Init Script"]; RestoreFile["Restore File"] -.-> | may-restore | T1037["Boot or Logon Initialization Scripts"] ; class RestoreFile DefensiveTechniqueNode; class UserInitScript ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | NetworkInitScriptFileResource["Network Init Script File Resource"]; class RestoreFile DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | SystemInitScript["System Init Script"]; class RestoreFile DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; ContentFiltering["Content Filtering"] --> | filters | NetworkInitScriptFileResource["Network Init Script File Resource"]; ContentFiltering["Content Filtering"] -.-> | may-isolate | T1037["Boot or Logon Initialization Scripts"] ; class ContentFiltering DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click ContentFiltering href "/technique/d3f:ContentFiltering"; ContentFiltering["Content Filtering"] --> | filters | SystemInitScript["System Init Script"]; class ContentFiltering DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click ContentFiltering href "/technique/d3f:ContentFiltering"; ContentFiltering["Content Filtering"] --> | filters | UserInitScript["User Init Script"]; class ContentFiltering DefensiveTechniqueNode; class UserInitScript ArtifactNode; click ContentFiltering href "/technique/d3f:ContentFiltering"; FileAnalysis["File Analysis"] --> | analyzes | SystemInitScript["System Init Script"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1037["Boot or Logon Initialization Scripts"] ; class FileAnalysis DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | UserInitScript["User Init Script"]; class FileAnalysis DefensiveTechniqueNode; class UserInitScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | NetworkInitScriptFileResource["Network Init Script File Resource"]; class FileAnalysis DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemInitConfigAnalysis["System Init Config Analysis"] --> | analyzes | SystemStartupDirectory["System Startup Directory"]; SystemInitConfigAnalysis["System Init Config Analysis"] -.-> | may-detect | T1037["Boot or Logon Initialization Scripts"] ; class SystemInitConfigAnalysis DefensiveTechniqueNode; class SystemStartupDirectory ArtifactNode; click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis"; SystemInitConfigAnalysis["System Init Config Analysis"] --> | analyzes | SystemInitScript["System Init Script"]; class SystemInitConfigAnalysis DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | NetworkInitScriptFileResource["Network Init Script File Resource"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1037["Boot or Logon Initialization Scripts"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class NetworkInitScriptFileResource ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | SystemInitScript["System Init Script"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class SystemInitScript ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | UserInitScript["User Init Script"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class UserInitScript ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";