action: global title: Logon Scripts (UserInitMprLogonScript) id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 status: experimental description: Detects creation or execution of UserInitMprLogonScript persistence method references: - https://attack.mitre.org/techniques/T1037/ tags: - attack.t1037 - attack.persistence - attack.lateral_movement author: Tom Ueltschi (@c_APT_ure) falsepositives: - exclude legitimate logon scripts - penetration tests, red teaming level: high --- logsource: category: process_creation product: windows detection: exec_selection: ParentImage: '*\userinit.exe' exec_exclusion1: Image: '*\explorer.exe' exec_exclusion2: CommandLine: '*\netlogon.bat' condition: exec_selection and not exec_exclusion1 and not exec_exclusion2 --- logsource: category: process_creation product: windows detection: create_keywords_cli: CommandLine: '*UserInitMprLogonScript*' condition: create_keywords_cli --- logsource: product: windows service: sysmon detection: create_selection_reg: EventID: - 11 - 12 - 13 - 14 create_keywords_reg: TargetObject: '*UserInitMprLogonScript*' condition: create_selection_reg and create_keywords_reg