Potential Persistence Via Logon Scripts - Registry

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Logon Scripts - Registry
 2id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
 3status: test
 4description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
 7author: Tom Ueltschi (@c_APT_ure)
 8date: 2019/01/12
 9modified: 2023/06/09
10tags:
11    - attack.t1037.001
12    - attack.persistence
13    - attack.lateral_movement
14logsource:
15    category: registry_add
16    product: windows
17detection:
18    selection:
19        EventType: CreateKey
20        TargetObject|contains: 'UserInitMprLogonScript'
21    condition: selection
22falsepositives:
23    - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate
24level: medium

References

Related rules

to-top