SigmaHQ/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml

54 lines
1.3 KiB
YAML
Raw Normal View History

action: global
title: Logon Scripts (UserInitMprLogonScript)
2019-11-12 22:12:27 +00:00
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
status: experimental
description: Detects creation or execution of UserInitMprLogonScript persistence method
references:
- https://attack.mitre.org/techniques/T1037/
tags:
- attack.t1037
- attack.persistence
- attack.lateral_movement
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
level: high
---
logsource:
category: process_creation
product: windows
detection:
exec_selection:
ParentImage: '*\userinit.exe'
exec_exclusion1:
Image: '*\explorer.exe'
exec_exclusion2:
CommandLine:
- '*\netlogon.bat'
- '*\UsrLogon.cmd'
condition: exec_selection and not exec_exclusion1 and not exec_exclusion2
---
logsource:
category: process_creation
product: windows
detection:
create_keywords_cli:
CommandLine: '*UserInitMprLogonScript*'
condition: create_keywords_cli
---
logsource:
product: windows
service: sysmon
detection:
create_selection_reg:
EventID:
- 11
- 12
- 13
- 14
create_keywords_reg:
TargetObject: '*UserInitMprLogonScript*'
condition: create_selection_reg and create_keywords_reg