security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eb22807ddc4e4e766380c78bdbcfc7079dd32d49
blue-team-tools/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
T
frack113 4631d0c482 remove invalid tag
2022-01-19 18:23:30 +01:00

32 lines
923 B
YAML
Raw Blame History

title: Logon Scripts (UserInitMprLogonScript)
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
status: test
description: Detects creation or execution of UserInitMprLogonScript persistence method
author: Tom Ueltschi (@c_APT_ure)
references:
- https://attack.mitre.org/techniques/T1037/
date: 2019/01/12
modified: 2021/11/29
logsource:
category: process_creation
product: windows
detection:
exec_selection:
ParentImage|endswith: '\userinit.exe'
exec_exclusion1:
Image|endswith: '\explorer.exe'
exec_exclusion2:
CommandLine|contains:
- 'netlogon*.bat'
- 'UsrLogon.cmd'
create_keywords_cli:
CommandLine|contains: 'UserInitMprLogonScript'
condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
level: high
tags:
- attack.t1037.001
- attack.persistence
Reference in New Issue View Git Blame Copy Permalink