CAPEC-564: Run Software at Logon

Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.

Last updated June 1, 2026

Not rated

Typical severity

Per MITRE

Not rated

Likelihood of attack

Per MITRE

1

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-564 (Run Software at Logon) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How to mitigate it

Defenses that reduce the risk of CAPEC-564.

Restrict write access to logon scripts to necessary administrators.

Terminology & mappings

Mapped taxonomies

ATTACK: Boot or Logon Initialization Scripts (1037)
ATTACK: Create or Modify System Process: Launch Agent (1543.001)
ATTACK: Create or Modify System Process: Launch Daemon (1543.004)

ATTACK: Boot or Logon Autostart Execution (1547)

Frequently asked questions

Common questions about CAPEC-564.

What is CAPEC-564?

Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.

How do you prevent CAPEC-564?

Restrict write access to logon scripts to necessary administrators.

What weaknesses does CAPEC-564 target?

CAPEC-564 exploits 1 CWE weakness, including CWE-284 (Improper Access Control).

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-564

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing