rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml

title: Logon Scripts (UserInitMprLogonScript)
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
status: test
description: Detects creation or execution of UserInitMprLogonScript persistence method
author: Tom Ueltschi (@c_APT_ure)
references:
  - https://attack.mitre.org/techniques/T1037/
date: 2019/01/12
modified: 2022/02/21
logsource:
  category: process_creation
  product: windows
detection:
  exec_selection:
    ParentImage|endswith: '\userinit.exe'
  exec_exclusion1:
    Image|endswith: 
      - 'explorer.exe'
      - '\proquota.exe'
  exec_exclusion2:
    CommandLine|contains:
      - 'netlogon*.bat'
      - 'UsrLogon.cmd'
      - 'C:\WINDOWS\Explorer.EXE'
  create_keywords_cli:
    CommandLine|contains: 'UserInitMprLogonScript'
  condition: ( exec_selection and not 1 of exec_exclusion* ) or create_keywords_cli
falsepositives:
  - exclude legitimate logon scripts
  - penetration tests, red teaming
level: high
tags:
  - attack.t1037.001
  - attack.persistence
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`title: Logon Scripts (UserInitMprLogonScript)`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`description: Detects creation or execution of UserInitMprLogonScript persistence method`
			`author: Tom Ueltschi (@c_APT_ure)`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`references:`
			`- https://attack.mitre.org/techniques/T1037/`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2019/01/12`
fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00			`modified: 2022/02/21`
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`exec_selection:`
			`ParentImage\|endswith: '\userinit.exe'`
			`exec_exclusion1:`
Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-02 20:40:21 +01:00			`Image\|endswith:`
fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:46:49 +01:00			`- 'explorer.exe'`
fix: FPs found in prod environment 2022-02-02 11:03:19 +01:00			`- '\proquota.exe'`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`exec_exclusion2:`
			`CommandLine\|contains:`
adding wildcard to netlogon to be a bit more inclusive. 2021-11-29 19:59:26 +00:00			`- 'netlogon*.bat'`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- 'UsrLogon.cmd'`
fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00			`- 'C:\WINDOWS\Explorer.EXE'`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`create_keywords_cli:`
			`CommandLine\|contains: 'UserInitMprLogonScript'`
fix: FPs noticed with Aurora 2022-02-02 20:39:47 +01:00			`condition: ( exec_selection and not 1 of exec_exclusion* ) or create_keywords_cli`
refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- exclude legitimate logon scripts`
			`- penetration tests, red teaming`
Update sysmon_logon_scripts_userinitmprlogonscript_proc.yml 2020-10-15 17:23:44 -03:00			`level: high`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.t1037.001`
			`- attack.persistence`