security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ffc87968cfac542689aee001fc2fd39deefe67f8
blue-team-tools/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
T

26 lines
714 B
YAML
Raw Normal View History

fix: duplicate IDs and rule titles
2020-07-01 16:37:27 +02:00
title: Logon Scripts (UserInitMprLogonScript) Registry
id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
Change status for old rules
2021-11-27 11:33:14 +01:00
status: test
refactor: sysmon rule cleanup > generlization
2020-07-01 10:58:39 +02:00
description: Detects creation or execution of UserInitMprLogonScript persistence method
author: Tom Ueltschi (@c_APT_ure)
Change status for old rules
2021-11-27 11:33:14 +01:00
references:
- https://attack.mitre.org/techniques/T1037/
refactor: sysmon rule cleanup > generlization
2020-07-01 10:58:39 +02:00
date: 2019/01/12
Change status for old rules
2021-11-27 11:33:14 +01:00
modified: 2021/11/27
refactor: sysmon rule cleanup > generlization
2020-07-01 10:58:39 +02:00
logsource:
Change status for old rules
2021-11-27 11:33:14 +01:00
category: registry_event
product: windows
refactor: sysmon rule cleanup > generlization
2020-07-01 10:58:39 +02:00
detection:
Change status for old rules
2021-11-27 11:33:14 +01:00
create_keywords_reg:
TargetObject|contains: 'UserInitMprLogonScript'
condition: create_keywords_reg
refactor: sysmon rule cleanup > generlization
2020-07-01 10:58:39 +02:00
falsepositives:
Change status for old rules
2021-11-27 11:33:14 +01:00
- exclude legitimate logon scripts
- penetration tests, red teaming
Update sysmon_logon_scripts_userinitmprlogonscript_reg.yml
2020-10-15 20:04:05 -03:00
level: high
Change status for old rules
2021-11-27 11:33:14 +01:00
tags:
- attack.t1037 # an old one
- attack.t1037.001
- attack.persistence
- attack.lateral_movement
Reference in New Issue Copy Permalink