T1037.001 IBM QRadar · QRadar

Detect Logon Script (Windows) in IBM QRadar

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key. Adversaries such as APT28, Cobalt Group, and malware families including Attor, JHUHUGIT, KGH_SPY, and Zebrocy have all leveraged this technique to maintain persistence on compromised systems.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1037 Boot or Logon Initialization Scripts
Sub-technique
T1037.001 Logon Script (Windows)
Canonical reference
https://attack.mitre.org/techniques/T1037/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS ActingUser,
  "ObjectName" AS RegistryKey,
  "NewValue" AS ScriptPath,
  sourceip AS HostIP,
  hostname AS HostName,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("NewValue") MATCHES '.*\.(bat|cmd|ps1|vbs|js|exe|hta|wsf|scr)' THEN 1
    ELSE 0
  END AS IsSuspiciousExtension,
  CASE
    WHEN LOWER("NewValue") MATCHES '.*(appdata|temp|tmp|users\\.+|programdata).*' THEN 1
    ELSE 0
  END AS IsInUserWritablePath
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 14, 432)
  AND qid IN (5200020, 5200021, 5200022)
  AND (
    "ObjectName" IMATCHES '%UserInitMprLogonScript%'
    OR ("ObjectName" IMATCHES '%\\Environment%' AND "NewValue" IS NOT NULL)
  )
  AND magnitude > 3
ORDER BY starttime DESC
LAST 24 HOURS
high severity medium confidence

AQL query targeting Windows Security Event 4657 (registry value modified) and Sysmon Event 13 (RegistryValueSet) to detect writes to the UserInitMprLogonScript registry value under HKCU\Environment. Enriches results with suspicious extension and writable path indicators.

Data Sources

Windows Security Event Log (Event ID 4657)Sysmon Operational Log (Event ID 13)Windows Registry Audit Events

Required Tables

events

False Positives & Tuning

  • Legitimate enterprise logon script deployment by Windows Group Policy or domain controllers setting per-user logon scripts during provisioning
  • Helpdesk tooling or remote management agents that register logon scripts as part of user session configuration
  • Application installers that register post-install configuration scripts to run at next user logon via this registry mechanism
Download portable Sigma rule (.yml)

Other platforms for T1037.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set UserInitMprLogonScript via reg.exe

    Expected signal: Sysmon Event ID 13: TargetObject=HKEY_CURRENT_USER\Environment\UserInitMprLogonScript, Details=%TEMP%\logon_test.bat, Image=C:\Windows\System32\reg.exe. Sysmon Event ID 11: File creation of logon_test.bat in %TEMP%. Security Event ID 4688: Process creation for reg.exe with command line containing 'add HKCU\Environment /v UserInitMprLogonScript'.

  2. Test 2Set UserInitMprLogonScript via PowerShell Registry Provider

    Expected signal: Sysmon Event ID 13: TargetObject=HKEY_CURRENT_USER\Environment\UserInitMprLogonScript, Details path ending in T1037001_test.ps1, Image=powershell.exe. Sysmon Event ID 11: File creation of T1037001_test.ps1 in %TEMP%. PowerShell ScriptBlock Log Event ID 4104: Contains 'Set-ItemProperty' and 'UserInitMprLogonScript'. DeviceRegistryEvents: RegistryValueName=UserInitMprLogonScript, InitiatingProcessFileName=powershell.exe.

  3. Test 3Set UserInitMprLogonScript via .NET Registry API (Fileless Technique)

    Expected signal: Sysmon Event ID 13: TargetObject=HKEY_CURRENT_USER\Environment\UserInitMprLogonScript, Details path ending in T1037001_logon.vbs in AppData\Microsoft, Image=powershell.exe. Sysmon Event ID 11: File creation of T1037001_logon.vbs in AppData\Microsoft. PowerShell ScriptBlock Log Event ID 4104: Contains 'Microsoft.Win32.Registry' and 'UserInitMprLogonScript'. Note: The initiating process is still powershell.exe even though reg.exe is not spawned.

  4. Test 4Simulate Logon Script Execution via userinit.exe Process Chain

    Expected signal: Sysmon Event ID 13: Registry value set for UserInitMprLogonScript. Sysmon Event ID 1: Process creation for cmd.exe executing the batch file. Sysmon Event ID 11: Creation of T1037001_executed.txt marker file. Security Event ID 4688: cmd.exe process creation with command line referencing T1037001_exec_test.bat. On actual logon, the parent would be userinit.exe rather than the test process.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1037.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1037Boot or Logon Initialization Scripts

Related Sub-techniques

T1037.002Login HookT1037.003Network Logon ScriptT1037.004RC ScriptsT1037.005Startup Items

Related Techniques

T1037Boot or Logon Initialization ScriptsT1547.001Registry Run Keys / Startup FolderT1059.001PowerShellT1059.003Windows Command ShellT1059.005Visual BasicT1105Ingress Tool TransferT1078Valid AccountsT1053.005Scheduled TaskT1027Obfuscated Files or Information

Same Tactic: Persistence

Popular Detections