T1037.001 Logon Script (Windows) Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect registry modifications to UserInitMprLogonScript for logon script persistence
let LogonScriptKey = "HKEY_CURRENT_USER\\Environment";
let LogonScriptValue = "UserInitMprLogonScript";
// Primary detection: Registry key modification
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Environment"
| where RegistryValueName =~ "UserInitMprLogonScript"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend ScriptPath = RegistryValueData
| extend IsSuspiciousExtension = RegistryValueData has_any (".bat", ".cmd", ".ps1", ".vbs", ".js", ".exe", ".hta", ".wsf", ".scr")
| extend IsInUserWritablePath = RegistryValueData has_any ("%APPDATA%", "%TEMP%", "%TMP%", "AppData", "Temp", "Users\\", "ProgramData")
| extend IsInSystemPath = RegistryValueData has_any ("C:\\Windows\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\")
| project
    Timestamp,
    DeviceName,
    AccountName,
    ActionType,
    RegistryKey,
    RegistryValueName,
    ScriptPath,
    IsSuspiciousExtension,
    IsInUserWritablePath,
    IsInSystemPath,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName
| sort by Timestamp desc

high severity high confidence

Data Sources

Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Enterprise software that legitimately uses UserInitMprLogonScript for logon-time configuration (e.g., some VPN clients or network drive mapping tools)
Group Policy or IT administration scripts that configure logon scripts via the registry for specific users
Security assessment or penetration testing tools running authorized tests on the environment

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13) OR (sourcetype="WinEventLog:Security" EventCode=4657)
| eval TargetObject=coalesce(TargetObject, ObjectName)
| eval Details=coalesce(Details, NewValue)
| where (match(TargetObject, "(?i)UserInitMprLogonScript"))
| eval ScriptPath=Details
| eval IsSuspiciousExtension=if(match(lower(Details), "\.(bat|cmd|ps1|vbs|js|exe|hta|wsf|scr)$"), 1, 0)
| eval IsInUserWritablePath=if(match(lower(Details), "(appdata|temp|tmp|users\\\\.+\\\\.+|programdata)"), 1, 0)
| eval IsInSystemPath=if(match(lower(Details), "(c:\\\\windows\\\\|c:\\\\program files)"), 1, 0)
| eval Initiator=coalesce(Image, ProcessName)
| eval ActingUser=coalesce(User, SubjectUserName)
| table _time, host, ActingUser, TargetObject, ScriptPath, IsSuspiciousExtension, IsInUserWritablePath, IsInSystemPath, Initiator, ParentImage
| sort - _time

high severity high confidence

Data Sources

Registry: Registry Key Modification Sysmon Event ID 13 Windows Security Event ID 4657

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Enterprise software that legitimately uses UserInitMprLogonScript for logon-time configuration (e.g., some VPN clients or network drive mapping tools)
Group Policy or IT administration scripts that configure logon scripts via the registry for specific users
Security assessment or penetration testing tools running authorized tests on the environment

Elastic Security (EQL)

eql

sequence by host.name
  [registry where registry.path : "*\\Environment\\UserInitMprLogonScript" and
   (event.action == "modification" or event.action == "creation") and
   registry.data.strings : ("*.bat", "*.cmd", "*.ps1", "*.vbs", "*.js", "*.exe", "*.hta", "*.wsf", "*.scr", "*AppData*", "*Temp*", "*Users\\*", "*ProgramData*")]
  [process where event.type == "start" and
   (process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe") or
    process.parent.name : ("userinit.exe", "explorer.exe"))]

// Alternative single-event detection for registry modification
registry where
  registry.path : "*\\HKEY_USERS\\*\\Environment\\UserInitMprLogonScript" or
  registry.path : "*\\HKCU\\Environment\\UserInitMprLogonScript" and
  (event.action == "modification" or event.action == "creation") and
  not registry.data.strings : ("C:\\Windows\\*", "C:\\Program Files\\*")

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.process-* winlogbeat-*

False Positives

Enterprise logon management software (e.g., Citrix, VMware Workspace ONE) may legitimately set UserInitMprLogonScript for session initialization
IT administrators using Group Policy or logon script management tools to deploy authorized scripts via this registry key
Software deployment tools (SCCM, Intune) that temporarily write logon scripts during package deployment workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS ActingUser,
  "ObjectName" AS RegistryKey,
  "NewValue" AS ScriptPath,
  sourceip AS HostIP,
  hostname AS HostName,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("NewValue") MATCHES '.*\.(bat|cmd|ps1|vbs|js|exe|hta|wsf|scr)' THEN 1
    ELSE 0
  END AS IsSuspiciousExtension,
  CASE
    WHEN LOWER("NewValue") MATCHES '.*(appdata|temp|tmp|users\\.+|programdata).*' THEN 1
    ELSE 0
  END AS IsInUserWritablePath
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 14, 432)
  AND qid IN (5200020, 5200021, 5200022)
  AND (
    "ObjectName" IMATCHES '%UserInitMprLogonScript%'
    OR ("ObjectName" IMATCHES '%\\Environment%' AND "NewValue" IS NOT NULL)
  )
  AND magnitude > 3
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log (Event ID 4657) Sysmon Operational Log (Event ID 13) Windows Registry Audit Events

Required Tables

events

False Positives

Legitimate enterprise logon script deployment by Windows Group Policy or domain controllers setting per-user logon scripts during provisioning
Helpdesk tooling or remote management agents that register logon scripts as part of user session configuration
Application installers that register post-install configuration scripts to run at next user logon via this registry mechanism

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse "EventCode=*" as EventCode nodrop
| parse "EventID=*" as EventID nodrop
| where EventCode in ("13", "14") or EventID in ("4657")
| parse field=_raw "TargetObject=*" as TargetObject nodrop
| parse field=_raw "Details=*" as Details nodrop
| parse field=_raw "ObjectName=*" as ObjectName nodrop
| parse field=_raw "NewValue=*" as NewValue nodrop
| where TargetObject matches "*UserInitMprLogonScript*"
  or ObjectName matches "*UserInitMprLogonScript*"
| eval ScriptPath = if(!isNull(Details), Details, NewValue)
| eval IsSuspiciousExtension = if(matches(toLowerCase(ScriptPath), ".*\.(bat|cmd|ps1|vbs|js|exe|hta|wsf|scr)"), 1, 0)
| eval IsInUserWritablePath = if(matches(toLowerCase(ScriptPath), ".*(appdata|\\temp|\\tmp|\\users\\.+|programdata).*"), 1, 0)
| eval IsInSystemPath = if(matches(toLowerCase(ScriptPath), ".*(c:\\windows\\|c:\\program files).*"), 1, 0)
| parse field=_raw "Image=*" as InitiatingProcess nodrop
| parse field=_raw "User=*" as ActingUser nodrop
| parse field=_raw "SubjectUserName=*" as SubjectUser nodrop
| eval ActingUser = if(!isNull(ActingUser), ActingUser, SubjectUser)
| fields _messagetime, _sourceHost, ActingUser, TargetObject, ObjectName, ScriptPath, IsSuspiciousExtension, IsInUserWritablePath, IsInSystemPath, InitiatingProcess
| sort - _messagetime

high severity high confidence

Data Sources

Sumo Logic Windows Sysmon Source Sumo Logic Windows Security Event Source

Required Tables

windows/sysmon windows/security

False Positives

Legitimate network logon script assignment by Active Directory administrators via the user account properties 'Logon script' field, which populates this registry key at login
Third-party endpoint management or profile management solutions (e.g., Citrix Profile Management, FSLogix) that manage logon scripts per user
Power users or developers who deliberately configure personal logon scripts for productivity automation (e.g., drive mapping, VPN connection scripts)

Google Chronicle / SecOps

yaral

rule t1037_001_logon_script_windows {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects modification of HKCU\\Environment\\UserInitMprLogonScript registry value used for logon script persistence (T1037.001)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1037.001"
    reference = "https://attack.mitre.org/techniques/T1037/001/"
    version = "1.0"

  events:
    $reg.metadata.event_type = "REGISTRY_MODIFICATION"
    $reg.target.registry.registry_key = /(?i).*\\Environment.*/ nocase
    $reg.target.registry.registry_value_name = "UserInitMprLogonScript" nocase
    $reg.principal.hostname = $hostname
    $reg.principal.user.userid = $user

  match:
    $hostname, $user over 1h

  outcome:
    $script_path = array_distinct($reg.target.registry.registry_value_data)
    $initiating_process = array_distinct($reg.principal.process.file.full_path)
    $risk_score = max(
      if(
        re.regex($reg.target.registry.registry_value_data, `(?i)\.(bat|cmd|ps1|vbs|js|exe|hta|wsf|scr)$`), 40, 0
      ) +
      if(
        re.regex($reg.target.registry.registry_value_data, `(?i)(appdata|temp|tmp|programdata|users\\)`), 30, 0
      ) +
      if(
        not re.regex($reg.target.registry.registry_value_data, `(?i)(c:\\windows\\|c:\\program files)`), 30, 0
      )
    )

  condition:
    $reg
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Registry Events via Sysmon or EDR forwarder Chronicle Ingestion API with Windows event sources

Required Tables

registry_modification

False Positives

Domain logon scripts legitimately assigned through Active Directory Group Policy Objects targeting specific users or OUs, which write to this key during user profile initialization
Enterprise software such as SAP, Oracle EBS, or other ERP systems that configure environment-based logon scripts to initialize user sessions and map network resources
Automated provisioning workflows (Ansible, Chef, Puppet) that configure user logon scripts as part of new employee onboarding or workstation setup procedures

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale (Falcon) detection for T1037.001 - Logon Script (Windows)
// Detect UserInitMprLogonScript registry persistence

#event_simpleName = AsepValueUpdate OR #event_simpleName = RegistryOperationDetectInfo
| TargetObject = /(?i)UserInitMprLogonScript/
| eval ScriptPath = RegStringValue
| eval IsSuspiciousExtension = if(ScriptPath = /(?i)\.(bat|cmd|ps1|vbs|js|exe|hta|wsf|scr)/, "true", "false")
| eval IsInUserWritablePath = if(ScriptPath = /(?i)(appdata|temp|tmp|programdata|users\\[^\\]+\\)/, "true", "false")
| eval IsInSystemPath = if(ScriptPath = /(?i)(c:\\windows\\|c:\\program files)/, "true", "false")
| eval RiskIndicators = (
    case {
      IsSuspiciousExtension = "true" AND IsInUserWritablePath = "true": "HIGH - suspicious extension in writable path";
      IsSuspiciousExtension = "true": "MEDIUM - suspicious extension";
      IsInUserWritablePath = "true": "MEDIUM - user-writable path";
      IsInSystemPath = "false": "LOW - non-system path";
      default: "INFO"
    }
  )
| table([_time, ComputerName, UserName, TargetObject, ScriptPath, IsSuspiciousExtension, IsInUserWritablePath, IsInSystemPath, RiskIndicators, ImageFileName, ParentBaseFileName])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Data Replicator (FDR) CrowdStrike ASEP and Registry event telemetry

Required Tables

AsepValueUpdate RegistryOperationDetectInfo

False Positives

Network administrators using logon scripts for drive mapping, printer configuration, or VPN initialization that are set via this key during legitimate user provisioning processes
Virtual desktop infrastructure (VDI) solutions like VMware Horizon or Citrix XenDesktop that write logon scripts to this key to configure the user's virtual session environment
Security software or endpoint agents that register configuration or telemetry initialization scripts through this persistence mechanism as part of their own install or update process

Logon Script (Windows)

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections