Potential Persistence Via Logon Scripts - CommandLine
Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
Sigma rule (View on GitHub)
1title: Potential Persistence Via Logon Scripts - CommandLine
2id: 21d856f9-9281-4ded-9377-51a1a6e2a432
3related:
4 - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
5 type: derived
6status: test
7description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
8references:
9 - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
10author: Tom Ueltschi (@c_APT_ure)
11date: 2019-01-12
12modified: 2023-06-09
13tags:
14 - attack.privilege-escalation
15 - attack.persistence
16 - attack.t1037.001
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 CommandLine|contains: 'UserInitMprLogonScript'
23 condition: selection
24falsepositives:
25 - Legitimate addition of Logon Scripts via the command line by administrators or third party tools
26level: high
References
Related rules
- Potential Persistence Via Logon Scripts - Registry
- Uncommon Userinit Child Process
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain