Detectionmediumtest

Potential Persistence Via Logon Scripts - Registry

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tom UeltschiCreated Sat Jan 12Updated Sun Oct 269ace0707-b560-49b8-b6ca-5148b42f39fbwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains: 'UserInitMprLogonScript'
    condition: selection

False Positives

Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate

References

Resolving title…

github.com

Testing & Validation

Simulations

atomic-red-teamT1037.001

View on ART

Logon Scripts

GUID: d6042746-07d4-4c92-9ad8-e644c114a231

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0008 · Lateral Movement

Sub-techniques

T1037.001 · Logon Script (Windows)

Rule Metadata

Rule ID

9ace0707-b560-49b8-b6ca-5148b42f39fb

Status

test

Level

medium

Type

Detection

Created

Sat Jan 12

Modified

Sun Oct 26

Author

Tom Ueltschi

Path

rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml

Raw Tags

attack.privilege-escalationattack.t1037.001attack.persistenceattack.lateral-movement

View on GitHub