rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml

title: Logon Scripts (UserInitMprLogonScript)
status: experimental
description: Detects creation or execution of UserInitMprLogonScript persistence method
references:
    - https://attack.mitre.org/techniques/T1037/
tags:
    - attack.t1037
    - attack.persistence
    - attack.lateral_movement
author: Tom Ueltschi (@c_APT_ure)
logsource:
    product: windows
    service: sysmon
detection:
    exec_selection:
        EventID: 1 # Migration to process_creation requires multipart YAML
        ParentImage: '*\userinit.exe'
    exec_exclusion1:
        Image: '*\explorer.exe'
    exec_exclusion2:
        CommandLine: '*\netlogon.bat'
    create_selection_cli:
        EventID:
            - 1
    create_selection_reg:
        EventID:
            - 11
            - 12
            - 13
            - 14
    create_keywords_reg:
        TargetObject:
            - '*UserInitMprLogonScript*'
    create_keywords_cli:
        CommandLine:
            - '*UserInitMprLogonScript*'
    condition: (exec_selection and not exec_exclusion1 and not exec_exclusion2) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli)
falsepositives:
    - exclude legitimate logon scripts
    - penetration tests, red teaming
level: high
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`title: Logon Scripts (UserInitMprLogonScript)`
			`status: experimental`
			`description: Detects creation or execution of UserInitMprLogonScript persistence method`
			`references:`
			`- https://attack.mitre.org/techniques/T1037/`
			`tags:`
			`- attack.t1037`
			`- attack.persistence`
			`- attack.lateral_movement`
			`author: Tom Ueltschi (@c_APT_ure)`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00			`exec_selection:`
			`EventID: 1 # Migration to process_creation requires multipart YAML`
			`ParentImage: '*\userinit.exe'`
fix: FPs with UserInitMprLogonScript rule 2019-11-09 23:32:53 +01:00			`exec_exclusion1:`
Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00			`Image: '*\explorer.exe'`
fix: FPs with UserInitMprLogonScript rule 2019-11-09 23:32:53 +01:00			`exec_exclusion2:`
Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00			`CommandLine: '*\netlogon.bat'`
fix: bound sysmon logon script rule to field 2019-11-02 11:43:04 +01:00			`create_selection_cli:`
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`EventID:`
Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00			`- 1`
fix: bound sysmon logon script rule to field 2019-11-02 11:43:04 +01:00			`create_selection_reg:`
			`EventID:`
Rule: UserInitMprLogonScript persistence method 2019-01-12 12:01:03 +01:00			`- 11`
			`- 12`
			`- 13`
			`- 14`
fix: bound sysmon logon script rule to field 2019-11-02 11:43:04 +01:00			`create_keywords_reg:`
			`TargetObject:`
			`- 'UserInitMprLogonScript'`
			`create_keywords_cli:`
			`CommandLine:`
			`- 'UserInitMprLogonScript'`
fix: FPs with UserInitMprLogonScript rule 2019-11-09 23:32:53 +01:00			`condition: (exec_selection and not exec_exclusion1 and not exec_exclusion2) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli)`
Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00			`falsepositives:`
			`- exclude legitimate logon scripts`
			`- penetration tests, red teaming`
fix: bound sysmon logon script rule to field 2019-11-02 11:43:04 +01:00			`level: high`