Detectionhightest

Potential Persistence Via Logon Scripts - CommandLine

Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Tom UeltschiCreated Sat Jan 12Updated Fri Jun 0921d856f9-9281-4ded-9377-51a1a6e2a432windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains: 'UserInitMprLogonScript'
    condition: selection

False Positives

Legitimate addition of Logon Scripts via the command line by administrators or third party tools

References

MITRE ATT&CK

Tactics

Sub-techniques

Related Rules

Uncommon Userinit Child Process

Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

21d856f9-9281-4ded-9377-51a1a6e2a432

Status

test

Level

high

Type

Detection

Created

Sat Jan 12

Modified

Fri Jun 09

Author

Path

rules/windows/process_creation/proc_creation_win_registry_logon_script.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1037.001