#####aid_begin
#description: fetch the information from user-logon, startup scripts
#id: aid2201032020
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  invoke-loadallprofilehives
#  get-bgloadedreghives
#  get-bgmruactivityview
#  invoke-bgunloadallprofilehives
#notes: |- 
#  adversaries may use windows logon scripts automatically executed at logon initialization to establish persistence. adversaries may use these registry location to maintain persistence on a system. depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKCU\Environment" -MatchValue -MatchData -Pattern 'UserInitMprLogonScript'
- Get-BGRegistry -StartKey "HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff"
- Get-BGRegistry -StartKey "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logoff"
- Get-BGRegistry -StartKey "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon"
- Get-BGRegistry -StartKey "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown"
- Get-BGRegistry -StartKey "HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup"