Logon Scripts with UserInitMprLogonScript

Detect modification of Windows logon scripts stored in HKCU\Environment\UserInitMprLogonScript and trigger when a user logs in.

id:54fff7e8-f81d-4169-b820-4cbff0133e2d
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Persistence
techniques:T1037 Logon Scripts

Query

registry where key_path == "*\\Environment\\UserInitMprLogonScript"

Contributors