LoFP / legitimate addition of logon scripts via the command line by administrators or third party tools

Techniques

• t1037
• t1037.001

Sample rules

Potential Persistence Via Logon Scripts - CommandLine

• source: sigma
• technicques:
  • t1037
  • t1037.001

Description

Detects the addition of a new LogonScript to the registry value “UserInitMprLogonScript” for potential persistence

Detection logic

condition: selection
selection:
  CommandLine|contains: UserInitMprLogonScript