Esc
Boot or Logon Initialization Scripts - T1037
(ATT&CK® Technique)
Definition
Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1037["Boot or Logon Initialization Scripts"] --> |modifies| SystemStartupDirectory["System Startup Directory"]; class T1037 OffensiveTechniqueNode;
class SystemStartupDirectory ArtifactNode; click SystemStartupDirectory href "/dao/artifact/d3f:SystemStartupDirectory";
click T1037 href "/offensive-technique/attack/T1037/"; click SystemStartupDirectory href "/dao/artifact/d3f:SystemStartupDirectory"; T1037["Boot or Logon Initialization Scripts"] --> |modifies| SystemInitScript["System Init Script"]; class T1037 OffensiveTechniqueNode;
class SystemInitScript ArtifactNode; click SystemInitScript href "/dao/artifact/d3f:SystemInitScript";
click T1037 href "/offensive-technique/attack/T1037/"; click SystemInitScript href "/dao/artifact/d3f:SystemInitScript"; T1037["Boot or Logon Initialization Scripts"] --> |modifies| UserInitScript["User Init Script"]; class T1037 OffensiveTechniqueNode;
class UserInitScript ArtifactNode; click UserInitScript href "/dao/artifact/d3f:UserInitScript";
click T1037 href "/offensive-technique/attack/T1037/"; click UserInitScript href "/dao/artifact/d3f:UserInitScript"; T1037["Boot or Logon Initialization Scripts"] --> |modifies| NetworkInitScriptFileResource["Network Init Script File Resource"]; class T1037 OffensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode; click NetworkInitScriptFileResource href "/dao/artifact/d3f:NetworkInitScriptFileResource";
click T1037 href "/offensive-technique/attack/T1037/"; click NetworkInitScriptFileResource href "/dao/artifact/d3f:NetworkInitScriptFileResource"; DecoyNetworkResource["Decoy Network Resource"] -->
| spoofs | NetworkInitScriptFileResource["Network Init Script File Resource"];
DecoyNetworkResource["Decoy Network Resource"] -.->
| may-deceive | T1037["Boot or Logon Initialization Scripts"] ;
class DecoyNetworkResource DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click DecoyNetworkResource href "/technique/d3f:DecoyNetworkResource"; DecoyFile["Decoy File"] -->
| spoofs | SystemInitScript["System Init Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1037["Boot or Logon Initialization Scripts"] ;
class DecoyFile DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | UserInitScript["User Init Script"];
class DecoyFile DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | NetworkInitScriptFileResource["Network Init Script File Resource"];
class DecoyFile DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | SystemInitScript["System Init Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1037["Boot or Logon Initialization Scripts"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
class DynamicAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1037["Boot or Logon Initialization Scripts"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | NetworkInitScriptFileResource["Network Init Script File Resource"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | SystemInitScript["System Init Script"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | NetworkInitScriptFileResource["Network Init Script File Resource"];
class DynamicAnalysis DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SystemInitScript["System Init Script"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1037["Boot or Logon Initialization Scripts"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | UserInitScript["User Init Script"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | NetworkInitScriptFileResource["Network Init Script File Resource"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | NetworkInitScriptFileResource["Network Init Script File Resource"];
FileEviction["File Eviction"] -.->
| may-evict | T1037["Boot or Logon Initialization Scripts"] ;
class FileEviction DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | SystemInitScript["System Init Script"];
class FileEviction DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | UserInitScript["User Init Script"];
class FileEviction DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | UserInitScript["User Init Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1037["Boot or Logon Initialization Scripts"] ;
class FileEncryption DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | SystemInitScript["System Init Script"];
class FileEncryption DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | NetworkInitScriptFileResource["Network Init Script File Resource"];
class FileEncryption DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | UserInitScript["User Init Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1037["Boot or Logon Initialization Scripts"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | SystemInitScript["System Init Script"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | NetworkInitScriptFileResource["Network Init Script File Resource"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1037["Boot or Logon Initialization Scripts"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | NetworkInitScriptFileResource["Network Init Script File Resource"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | UserInitScript["User Init Script"];
class ExecutableDenylisting DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | SystemInitScript["System Init Script"];
class ExecutableDenylisting DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SystemStartupDirectory["System Startup Directory"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1037["Boot or Logon Initialization Scripts"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class SystemStartupDirectory ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SystemInitScript["System Init Script"];
class LocalFilePermissions DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | UserInitScript["User Init Script"];
class LocalFilePermissions DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | NetworkInitScriptFileResource["Network Init Script File Resource"];
class LocalFilePermissions DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; NetworkResourceAccessMediation["Network Resource Access Mediation"] -->
| isolates | NetworkInitScriptFileResource["Network Init Script File Resource"];
NetworkResourceAccessMediation["Network Resource Access Mediation"] -.->
| may-isolate | T1037["Boot or Logon Initialization Scripts"] ;
class NetworkResourceAccessMediation DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click NetworkResourceAccessMediation href "/technique/d3f:NetworkResourceAccessMediation"; RestoreFile["Restore File"] -->
| restores | NetworkInitScriptFileResource["Network Init Script File Resource"];
RestoreFile["Restore File"] -.->
| may-restore | T1037["Boot or Logon Initialization Scripts"] ;
class RestoreFile DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | UserInitScript["User Init Script"];
class RestoreFile DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | SystemInitScript["System Init Script"];
class RestoreFile DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemInitScript["System Init Script"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1037["Boot or Logon Initialization Scripts"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemStartupDirectory["System Startup Directory"];
class RestoreConfiguration DefensiveTechniqueNode;
class SystemStartupDirectory ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1037["Boot or Logon Initialization Scripts"] ;
class FileAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | NetworkInitScriptFileResource["Network Init Script File Resource"];
class FileAnalysis DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | SystemInitScript["System Init Script"];
class FileAnalysis DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemInitConfigAnalysis["System Init Config Analysis"] -->
| analyzes | SystemStartupDirectory["System Startup Directory"];
SystemInitConfigAnalysis["System Init Config Analysis"] -.->
| may-detect | T1037["Boot or Logon Initialization Scripts"] ;
class SystemInitConfigAnalysis DefensiveTechniqueNode;
class SystemStartupDirectory ArtifactNode;
click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis"; SystemInitConfigAnalysis["System Init Config Analysis"] -->
| analyzes | SystemInitScript["System Init Script"];
class SystemInitConfigAnalysis DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | NetworkInitScriptFileResource["Network Init Script File Resource"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1037["Boot or Logon Initialization Scripts"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class NetworkInitScriptFileResource ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SystemInitScript["System Init Script"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | UserInitScript["User Init Script"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";