title: Logon Scripts (UserInitMprLogonScript)
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
status: test
description: Detects creation or execution of UserInitMprLogonScript persistence method
references:
    - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
author: Tom Ueltschi (@c_APT_ure), Tim Shelton
date: 2019/01/12
modified: 2023/01/31
tags:
    - attack.t1037.001
    - attack.persistence
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli:
        CommandLine|contains: 'UserInitMprLogonScript'
    selection_parent:
        ParentImage|endswith: '\userinit.exe'
    filter_parent:
        - CommandLine|contains:
            - 'netlogon*.bat'
            - 'UsrLogon.cmd'
            - 'C:\WINDOWS\Explorer.EXE'
        - Image|endswith:
            - '\explorer.exe'
            - '\proquota.exe'
            - '\Citrix\System32\icast.exe'
    condition: selection_cli or (selection_parent and not filter_parent)
falsepositives:
    - Exclude legitimate logon scripts
level: high