Logon Scripts with UserInitMprLogonScript

Detect modification of Windows logon scripts stored in HKCU\Environment\UserInitMprLogonScript and trigger when a user logs in.

id:54fff7e8-f81d-4169-b820-4cbff0133e2d categories:detect confidence:medium os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Persistence techniques:T1037 Logon Scripts

Query

registry where registry_path == "*\\Environment\\UserInitMprLogonScript"

Detonation

Atomic Red Team: T1037

Contributors

• Endgame