Detect Logon Script (Windows) in Sumo Logic CSE
Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the HKCU\Environment\UserInitMprLogonScript Registry key. Adversaries such as APT28, Cobalt Group, and malware families including Attor, JHUHUGIT, KGH_SPY, and Zebrocy have all leveraged this technique to maintain persistence on compromised systems.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.001 Logon Script (Windows)
- Canonical reference
- https://attack.mitre.org/techniques/T1037/001/
Sumo Detection Query
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse "EventCode=*" as EventCode nodrop
| parse "EventID=*" as EventID nodrop
| where EventCode in ("13", "14") or EventID in ("4657")
| parse field=_raw "TargetObject=*" as TargetObject nodrop
| parse field=_raw "Details=*" as Details nodrop
| parse field=_raw "ObjectName=*" as ObjectName nodrop
| parse field=_raw "NewValue=*" as NewValue nodrop
| where TargetObject matches "*UserInitMprLogonScript*"
or ObjectName matches "*UserInitMprLogonScript*"
| eval ScriptPath = if(!isNull(Details), Details, NewValue)
| eval IsSuspiciousExtension = if(matches(toLowerCase(ScriptPath), ".*\.(bat|cmd|ps1|vbs|js|exe|hta|wsf|scr)"), 1, 0)
| eval IsInUserWritablePath = if(matches(toLowerCase(ScriptPath), ".*(appdata|\\temp|\\tmp|\\users\\.+|programdata).*"), 1, 0)
| eval IsInSystemPath = if(matches(toLowerCase(ScriptPath), ".*(c:\\windows\\|c:\\program files).*"), 1, 0)
| parse field=_raw "Image=*" as InitiatingProcess nodrop
| parse field=_raw "User=*" as ActingUser nodrop
| parse field=_raw "SubjectUserName=*" as SubjectUser nodrop
| eval ActingUser = if(!isNull(ActingUser), ActingUser, SubjectUser)
| fields _messagetime, _sourceHost, ActingUser, TargetObject, ObjectName, ScriptPath, IsSuspiciousExtension, IsInUserWritablePath, IsInSystemPath, InitiatingProcess
| sort - _messagetimeSumo Logic CSE query detecting Sysmon Event 13/14 (registry value set/deleted) and Windows Security Event 4657 matching the UserInitMprLogonScript registry value under HKCU\Environment. Enriches events with script path analysis to identify suspicious extensions and user-writable locations associated with persistence.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate network logon script assignment by Active Directory administrators via the user account properties 'Logon script' field, which populates this registry key at login
- Third-party endpoint management or profile management solutions (e.g., Citrix Profile Management, FSLogix) that manage logon scripts per user
- Power users or developers who deliberately configure personal logon scripts for productivity automation (e.g., drive mapping, VPN connection scripts)
Other platforms for T1037.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set UserInitMprLogonScript via reg.exe
Expected signal: Sysmon Event ID 13: TargetObject=HKEY_CURRENT_USER\Environment\UserInitMprLogonScript, Details=%TEMP%\logon_test.bat, Image=C:\Windows\System32\reg.exe. Sysmon Event ID 11: File creation of logon_test.bat in %TEMP%. Security Event ID 4688: Process creation for reg.exe with command line containing 'add HKCU\Environment /v UserInitMprLogonScript'.
- Test 2Set UserInitMprLogonScript via PowerShell Registry Provider
Expected signal: Sysmon Event ID 13: TargetObject=HKEY_CURRENT_USER\Environment\UserInitMprLogonScript, Details path ending in T1037001_test.ps1, Image=powershell.exe. Sysmon Event ID 11: File creation of T1037001_test.ps1 in %TEMP%. PowerShell ScriptBlock Log Event ID 4104: Contains 'Set-ItemProperty' and 'UserInitMprLogonScript'. DeviceRegistryEvents: RegistryValueName=UserInitMprLogonScript, InitiatingProcessFileName=powershell.exe.
- Test 3Set UserInitMprLogonScript via .NET Registry API (Fileless Technique)
Expected signal: Sysmon Event ID 13: TargetObject=HKEY_CURRENT_USER\Environment\UserInitMprLogonScript, Details path ending in T1037001_logon.vbs in AppData\Microsoft, Image=powershell.exe. Sysmon Event ID 11: File creation of T1037001_logon.vbs in AppData\Microsoft. PowerShell ScriptBlock Log Event ID 4104: Contains 'Microsoft.Win32.Registry' and 'UserInitMprLogonScript'. Note: The initiating process is still powershell.exe even though reg.exe is not spawned.
- Test 4Simulate Logon Script Execution via userinit.exe Process Chain
Expected signal: Sysmon Event ID 13: Registry value set for UserInitMprLogonScript. Sysmon Event ID 1: Process creation for cmd.exe executing the batch file. Sysmon Event ID 11: Creation of T1037001_executed.txt marker file. Security Event ID 4688: cmd.exe process creation with command line referencing T1037001_exec_test.bat. On actual logon, the parent would be userinit.exe rather than the test process.
References (10)
- https://attack.mitre.org/techniques/T1037/001/
- http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
- https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx
- https://unit42.paloaltonetworks.com/unit42-playbook-viewer/
- https://www.welivesecurity.com/2019/10/10/eset-attor-spy-platform/
- https://www.welivesecurity.com/2018/11/20/sednit-what-happened-zebrocy/
- https://blog.morphisec.com/cobalt-gang-2.0
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_logon_script_userinitmpr.yml
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657
Unlock Pro Content
Get the full detection package for T1037.001 including response playbook, investigation guide, and atomic red team tests.