Find sigma rule
Attack: Boot or Logon Initialization Scripts: Logon Script (Windows)
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript
Registry key.(Citation: Hexacorn Logon Scripts)
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
MITRE
Tactic
- privilege-escalation
- persistence
technique
- T1037.001
Test : Logon Scripts
OS
- windows
Description:
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key that can be viewed in the Registry Editor.
Executor
command_prompt
Sigma Rule
-
proc_creation_win_userinit_uncommon_child_processes.yml (id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458)
-
registry_add_persistence_logon_scripts_userinitmprlogonscript.yml (id: 9ace0707-b560-49b8-b6ca-5148b42f39fb)