Logon Scripts - veramine/Detections GitHub Wiki
Windows allows logon scripts to be run whenever a specific user or group of users log into a system. The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. An adversary might specify a new login script on systems where one does not exist or modify an existing login script by inserting additional code to execute their tools when a user logs in. This code could allow them to maintain persistence on a single system via a local script or to move laterally within a network if the script is stored on a central server and pushed to many systems. You can learn more about attacker use login scripts at https://attack.mitre.org/wiki/Technique/T1037.
Veramine's detection engine highlights instances where the registry key specifying the login script was added or modified. Here is an example detection:
Note that the Veramine detection engine is less likely to detect instances where an existing login script is modified by an attacker.