sigmahighHunting

Potential Persistence Via Logon Scripts - CommandLine

Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence

MITRE ATT&CK

privilege-escalationpersistence

Detection Query

selection:
  CommandLine|contains: UserInitMprLogonScript
condition: selection

Author

Tom Ueltschi (@c_APT_ure)

Created

2019-01-12

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html

Tags

attack.privilege-escalationattack.persistenceattack.t1037.001

Raw Content

title: Potential Persistence Via Logon Scripts - CommandLine
id: 21d856f9-9281-4ded-9377-51a1a6e2a432
related:
    - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
      type: derived
status: test
description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
references:
    - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
author: Tom Ueltschi (@c_APT_ure)
date: 2019-01-12
modified: 2023-06-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1037.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'UserInitMprLogonScript'
    condition: selection
falsepositives:
    - Legitimate addition of Logon Scripts via the command line by administrators or third party tools
level: high