Potential Persistence Via Logon Scripts - Registry
Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
Sigma rule (View on GitHub)
1title: Potential Persistence Via Logon Scripts - Registry
2id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
3status: test
4description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
7author: Tom Ueltschi (@c_APT_ure)
8date: 2019-01-12
9modified: 2025-10-26
10tags:
11 - attack.privilege-escalation
12 - attack.t1037.001
13 - attack.persistence
14 - attack.lateral-movement
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: 'UserInitMprLogonScript'
21 condition: selection
22falsepositives:
23 - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate
24level: medium
25regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml
26simulation:
27 - type: atomic-red-team
28 name: Logon Scripts
29 technique: T1037.001
30 atomic_guid: d6042746-07d4-4c92-9ad8-e644c114a231
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- AWS Suspicious SAML Activity
- Admin User Remote Logon
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- OpenCanary - SSH Login Attempt