rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml

title: Logon Scripts (UserInitMprLogonScript)
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
status: test
description: Detects creation or execution of UserInitMprLogonScript persistence method
references:
    - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
author: Tom Ueltschi (@c_APT_ure), Tim Shelton
date: 2019/01/12
modified: 2023/01/31
tags:
    - attack.t1037.001
    - attack.persistence
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli:
        CommandLine|contains: 'UserInitMprLogonScript'
    selection_parent:
        ParentImage|endswith: '\userinit.exe'
    filter_parent:
        - CommandLine|contains:
            - 'netlogon*.bat'
            - 'UsrLogon.cmd'
            - 'C:\WINDOWS\Explorer.EXE'
        - Image|endswith:
            - '\explorer.exe'
            - '\proquota.exe'
            - '\Citrix\System32\icast.exe'
    condition: selection_cli or (selection_parent and not filter_parent)
falsepositives:
    - Exclude legitimate logon scripts
level: high
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`title: Logon Scripts (UserInitMprLogonScript)`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`description: Detects creation or execution of UserInitMprLogonScript persistence method`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`references:`
$frack113$ Remove mitre url 2023-01-10 18:09:04 +01:00			`- https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`author: Tom Ueltschi (@c_APT_ure), Tim Shelton`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2019/01/12`
fix: value 2023-01-31 12:25:32 +05:00			`modified: 2023/01/31`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
			`- attack.t1037.001`
			`- attack.persistence`
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`logsource:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`category: process_creation`
			`product: windows`
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`detection:`
feat: multiple fixes and updates 2023-02-21 22:15:30 +01:00			`selection_cli:`
			`CommandLine\|contains: 'UserInitMprLogonScript'`
			`selection_parent:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`ParentImage\|endswith: '\userinit.exe'`
fix: apply suggestions from code review 2023-02-22 11:05:50 +01:00			`filter_parent:`
feat: multiple fixes and updates 2023-02-21 22:15:30 +01:00			`- CommandLine\|contains:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`- 'netlogon*.bat'`
			`- 'UsrLogon.cmd'`
			`- 'C:\WINDOWS\Explorer.EXE'`
feat: multiple fixes and updates 2023-02-21 22:15:30 +01:00			`- Image\|endswith:`
			`- '\explorer.exe'`
			`- '\proquota.exe'`
			`- '\Citrix\System32\icast.exe'`
fix: apply suggestions from code review 2023-02-22 11:05:50 +01:00			`condition: selection_cli or (selection_parent and not filter_parent)`
refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00			`falsepositives:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`- Exclude legitimate logon scripts`
Update sysmon_logon_scripts_userinitmprlogonscript_proc.yml 2020-10-15 17:23:44 -03:00			`level: high`