Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.
Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
Detect Network Logon Script Abuse via Multi-Event Correlation on Windows
Restrict File and Directory Permissions: Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.
Enforce Least Privilege Permissions:
Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.
Harden File Shares:
Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access.
On Linux, apply:
chmod 750 /etc/sensitive.conf
chown root:admin /etc/sensitive.conf
File Integrity Monitoring (FIM):
Audit File System Access:
Restrict Startup Directories:
C:\ProgramData\Microsoft\Windows\Start Menu.Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.
icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)Flsattr or auditd.