Potential Persistence Via Logon Scripts - CommandLine

Jun 9, 2023 · attack.persistence attack.t1037.001 ·

Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Logon Scripts - CommandLine
 2id: 21d856f9-9281-4ded-9377-51a1a6e2a432
 3related:
 4    - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
 5      type: derived
 6status: experimental
 7description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
 8references:
 9    - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
10author: Tom Ueltschi (@c_APT_ure)
11date: 2019/01/12
12modified: 2023/06/09
13tags:
14    - attack.persistence
15    - attack.t1037.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains: 'UserInitMprLogonScript'
22    condition: selection
23falsepositives:
24    - Legitimate addition of Logon Scripts via the command line by administrators or third party tools
25level: high

References

Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.

﷽

Read More

Potential Persistence Via Logon Scripts - CommandLine

Sigma rule (View on GitHub)

References

Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.

Related rules