security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
feb836cbf2833dfc714e5e63763809d20f7aacf3
blue-team-tools/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
T
Florian Roth 038f205f0f fix: FPs with UserInitMprLogonScript rule
2019-11-09 23:32:53 +01:00

42 lines
1.2 KiB
YAML
Raw Blame History

title: Logon Scripts (UserInitMprLogonScript)
status: experimental
description: Detects creation or execution of UserInitMprLogonScript persistence method
references:
- https://attack.mitre.org/techniques/T1037/
tags:
- attack.t1037
- attack.persistence
- attack.lateral_movement
author: Tom Ueltschi (@c_APT_ure)
logsource:
product: windows
service: sysmon
detection:
exec_selection:
EventID: 1 # Migration to process_creation requires multipart YAML
ParentImage: '*\userinit.exe'
exec_exclusion1:
Image: '*\explorer.exe'
exec_exclusion2:
CommandLine: '*\netlogon.bat'
create_selection_cli:
EventID:
- 1
create_selection_reg:
EventID:
- 11
- 12
- 13
- 14
create_keywords_reg:
TargetObject:
- '*UserInitMprLogonScript*'
create_keywords_cli:
CommandLine:
- '*UserInitMprLogonScript*'
condition: (exec_selection and not exec_exclusion1 and not exec_exclusion2) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli)
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
level: high
Reference in New Issue View Git Blame Copy Permalink