What registry key should defenders monitor to detect Logon Script abuse?
Defenders should monitor the registry key HKCU\Environment\UserInitMprLogonScript. Unauthorized creation or modification of this value could indicate an attacker attempting to establish persistence via Logon Scripts.
---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Basics - Obfuscating Strings Using Unicode Encoding
- Sophos UTM Analysis - Clearing Last WebAdmin Sessions Records
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Basics - Obfuscating Strings Using Unicode Encoding
- Sophos UTM Analysis - Clearing Last WebAdmin Sessions Records
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
defensemonitoringUserInitMprLogonScriptpersistence detectionregistry