LoFP / investigate the contents of the \"userinitmprlogonscript\" value to determine of the added script is legitimate

Techniques

• t1037
• t1037.001

Sample rules

Potential Persistence Via Logon Scripts - Registry

• source: sigma
• technicques:
  • t1037
  • t1037.001

Description

Detects creation of “UserInitMprLogonScript” registry value which can be used as a persistence method by malicious actors

Detection logic

condition: selection
selection:
  EventType: CreateKey
  TargetObject|contains: UserInitMprLogonScript