CAPEC-564: Run Software at Logon
Detailed
Draft
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.
缓解措施
Restrict write access to logon scripts to necessary administrators.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1037 | Boot or Logon Initialization Scripts |
| ATTACK | 1543.001 | Create or Modify System Process: Launch Agent |
| ATTACK | 1543.004 | Create or Modify System Process: Launch Daemon |
| ATTACK | 1547 | Boot or Logon Autostart Execution |