Find sigma rule

Attack: Boot or Logon Initialization Scripts: Logon Script (Windows)

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

MITRE

Tactic

privilege-escalation
persistence

technique

T1037.001

Test : Logon Scripts

OS

windows

Description:

Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key that can be viewed in the Registry Editor.

Executor

command_prompt

Sigma Rule

proc_creation_win_userinit_uncommon_child_processes.yml (id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458)
registry_add_persistence_logon_scripts_userinitmprlogonscript.yml (id: 9ace0707-b560-49b8-b6ca-5148b42f39fb)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test