What is the recommended defense against Logon Scripts persistence attacks?
The primary defense is to monitor changes to the registry key `HKCR\Environment\UserInitMprLogonScript`. Any unauthorized creation or modification of this key should trigger an alert. Additionally, organizations should enforce strict access controls on the registry and use endpoint detection and response (EDR) tools to detect suspicious logon script executions.
---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Techniques - Obtaining Net-NTLM Hash via HTTP Protocol
- Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test
- Pupy Exploitation Analysis - Features on Windows Platform
---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Techniques - Obtaining Net-NTLM Hash via HTTP Protocol
- Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test
- Pupy Exploitation Analysis - Features on Windows Platform
defenseregistry monitoringUserInitMprLogonScriptendpoint securityEDR