T1037.003

Network Logon Script

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

Microsoft Sentinel / Defender

kusto

let SuspiciousScriptExtensions = dynamic([".bat", ".cmd", ".ps1", ".vbs", ".js", ".wsf", ".hta"]);
let KnownLogonScriptPaths = dynamic(["\\NETLOGON\\", "\\SYSVOL\\", "\\scripts\\"]);
// Detection 1: AD User object ScriptPath attribute modification via LDAP/AD changes
let ADScriptChange = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any ("Update user", "Modify user")
| where TargetResources has "scriptPath"
| extend ModifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend ChangedProperties = tostring(TargetResources[0].modifiedProperties)
| project TimeGenerated, OperationName, ModifiedBy, TargetUser, ChangedProperties, CorrelationId
| extend DetectionType = "AD ScriptPath Attribute Modified";
// Detection 2: Script file created or modified in NETLOGON/SYSVOL share paths
let ScriptFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (KnownLogonScriptPaths)
| where FileName has_any (SuspiciousScriptExtensions)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| extend DetectionType = "Script File Created/Modified in NETLOGON/SYSVOL";
// Detection 3: Suspicious process spawned from logon script host processes at logon
let LogonScriptExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("userinit.exe", "explorer.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe")
| where ProcessCommandLine has_any (KnownLogonScriptPaths) or
        (InitiatingProcessCommandLine has_any (KnownLogonScriptPaths))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "Suspicious Process Spawned from Logon Script Path";
// Detection 4: Registry key for logon script set or modified
let RegistryLogonScript = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
    "\\SOFTWARE\\Policies\\Microsoft\\Windows\\System",
    "\\Environment"
  )
| where RegistryValueName in~ ("UserInitMprLogonScript", "Userinit", "Scripts")
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName,
         RegistryValueData, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "Logon Script Registry Key Modified";
// Union all detections
ADScriptChange
| project-away ModifiedBy, TargetUser, ChangedProperties, CorrelationId
| union
  (ScriptFileCreation | project-away ActionType, SHA256),
  (LogonScriptExecution | project-away FileName),
  (RegistryLogonScript | project-away RegistryKey, RegistryValueName, RegistryValueData, ActionType)
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Active Directory: Active Directory Object Modification File: File Creation File: File Modification Process: Process Creation Windows Registry: Windows Registry Key Modification

Required Tables

AuditLogs DeviceFileEvents DeviceProcessEvents DeviceRegistryEvents

False Positives

IT administrators legitimately deploying or updating logon scripts via Group Policy or AD Users and Computers for software deployment or environment configuration
SCCM/Intune or other endpoint management platforms that modify SYSVOL/NETLOGON share contents as part of normal GPO operations
Automated provisioning systems that set the scriptPath attribute on new user accounts during onboarding workflows
Domain controllers replicating SYSVOL content via DFS-R or FRS, which generates file creation/modification events in the SYSVOL path

Splunk

spl

| union
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=5136
  | eval ObjectClass=spath(_raw, "ObjectClass")
  | eval AttributeLDAPDisplayName=spath(_raw, "AttributeLDAPDisplayName")
  | where AttributeLDAPDisplayName="scriptPath"
  | eval SubjectUserName=spath(_raw, "SubjectUserName")
  | eval ObjectDN=spath(_raw, "ObjectDN")
  | eval AttributeValue=spath(_raw, "AttributeValue")
  | eval DetectionType="AD scriptPath Attribute Modified (Event 5136)"
  | table _time, host, SubjectUserName, ObjectDN, AttributeLDAPDisplayName, AttributeValue, DetectionType
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*\\NETLOGON\\*" OR TargetFilename="*\\SYSVOL\\*" OR TargetFilename="*\\scripts\\*")
  (TargetFilename="*.bat" OR TargetFilename="*.cmd" OR TargetFilename="*.ps1" OR TargetFilename="*.vbs" OR TargetFilename="*.js" OR TargetFilename="*.wsf" OR TargetFilename="*.hta")
  | eval DetectionType="Script File Created in NETLOGON/SYSVOL (Sysmon 11)"
  | table _time, host, User, Image, CommandLine, TargetFilename, DetectionType
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (ParentImage="*\\userinit.exe" OR ParentImage="*\\explorer.exe")
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe" OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe")
  (CommandLine="*NETLOGON*" OR CommandLine="*SYSVOL*" OR CommandLine="*\\scripts\\*" OR ParentCommandLine="*NETLOGON*" OR ParentCommandLine="*SYSVOL*")
  | eval DetectionType="Suspicious Process Spawned from Logon Script Path (Sysmon 1)"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  (TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" OR TargetObject="*\\Environment*" OR TargetObject="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System*")
  (TargetObject="*UserInitMprLogonScript*" OR TargetObject="*Userinit*")
  | eval DetectionType="Logon Script Registry Key Modified (Sysmon 13)"
  | table _time, host, User, Image, CommandLine, TargetObject, Details, DetectionType
]
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4688
  (ParentProcessName="*userinit.exe" OR ParentProcessName="*explorer.exe")
  (NewProcessName="*cmd.exe" OR NewProcessName="*powershell.exe" OR NewProcessName="*wscript.exe" OR NewProcessName="*cscript.exe" OR NewProcessName="*mshta.exe")
  (CommandLine="*NETLOGON*" OR CommandLine="*SYSVOL*" OR CommandLine="*\\scripts\\*")
  | eval SubjectUserName=spath(_raw, "SubjectUserName")
  | eval DetectionType="Logon Script Process Execution (Security 4688)"
  | table _time, host, SubjectUserName, NewProcessName, CommandLine, ParentProcessName, DetectionType
]
| sort - _time

high severity medium confidence

Data Sources

Active Directory: Active Directory Object Modification File: File Creation Process: Process Creation Windows Registry: Windows Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 11 Sysmon Event ID 13 Windows Security Event ID 5136 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators legitimately deploying or updating logon scripts via Group Policy or AD Users and Computers for software deployment or environment configuration
SCCM/Intune or other endpoint management platforms that modify SYSVOL/NETLOGON share contents as part of normal GPO operations
Automated provisioning systems that set the scriptPath attribute on new user accounts during onboarding workflows
Domain controllers replicating SYSVOL content via DFS-R or FRS, which generates file creation/modification events in the SYSVOL path

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  // Detection 1: Script file created/modified in NETLOGON/SYSVOL paths
  file where event.type in ("creation", "change") and
  (
    file.path : ("*\\NETLOGON\\*", "*\\SYSVOL\\*", "*\\scripts\\*") and
    file.extension : ("bat", "cmd", "ps1", "vbs", "js", "wsf", "hta")
  )
]
or
// Detection 2: Suspicious process spawned from logon script host at logon
sequence by host.name with maxspan=2m
[
  process where event.type == "start" and
  process.parent.name : ("userinit.exe", "explorer.exe") and
  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe") and
  (
    process.command_line : ("*NETLOGON*", "*SYSVOL*", "*\\scripts\\*") or
    process.parent.command_line : ("*NETLOGON*", "*SYSVOL*", "*\\scripts\\*")
  )
]
or
// Detection 3: Logon script registry key modified
registry where event.type in ("creation", "change") and
(
  registry.path : (
    "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*",
    "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System*",
    "*\\Environment*"
  ) and
  registry.value : ("UserInitMprLogonScript", "Userinit", "Scripts")
)

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.file) Elastic Endpoint Security (endpoint.events.process) Elastic Endpoint Security (endpoint.events.registry) Windows Event Logs via Elastic Agent (winlog.event_id)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate IT administrators deploying or updating login scripts in NETLOGON/SYSVOL share as part of scheduled Group Policy maintenance or system provisioning workflows.
Software deployment tools (SCCM, Ansible, Puppet) that write scripts to SYSVOL or NETLOGON as part of automated provisioning or configuration management.
Security or compliance tooling that modifies Winlogon registry keys (e.g., Userinit) during installation or updates, such as endpoint detection agents or VPN clients.
Domain controller replication processes that propagate legitimate SYSVOL script changes across domain controllers, generating file creation events on replica DCs.

IBM QRadar (AQL)

sql

-- Detection 1: Script file created/modified in NETLOGON/SYSVOL (Sysmon Event 11)
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip" AS host_ip,
  username,
  QIDNAME(qid) AS event_name,
  "TargetFilename" AS target_file,
  "Image" AS initiating_image,
  'Script File in NETLOGON/SYSVOL' AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12 -- Windows
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND LONG("EventID") = 11
  AND (
    "TargetFilename" ILIKE '%\NETLOGON\%'
    OR "TargetFilename" ILIKE '%\SYSVOL\%'
    OR "TargetFilename" ILIKE '%\scripts\%'
  )
  AND (
    "TargetFilename" ILIKE '%.bat'
    OR "TargetFilename" ILIKE '%.cmd'
    OR "TargetFilename" ILIKE '%.ps1'
    OR "TargetFilename" ILIKE '%.vbs'
    OR "TargetFilename" ILIKE '%.js'
    OR "TargetFilename" ILIKE '%.wsf'
    OR "TargetFilename" ILIKE '%.hta'
  )
  AND devicetime > NOW() - 86400000
UNION ALL
-- Detection 2: Suspicious process spawned from logon script path (Sysmon Event 1)
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip" AS host_ip,
  username,
  QIDNAME(qid) AS event_name,
  "CommandLine" AS target_file,
  "Image" AS initiating_image,
  'Suspicious Logon Script Process Execution' AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND LONG("EventID") = 1
  AND (
    "ParentImage" ILIKE '%\userinit.exe'
    OR "ParentImage" ILIKE '%\explorer.exe'
  )
  AND (
    "Image" ILIKE '%\cmd.exe'
    OR "Image" ILIKE '%\powershell.exe'
    OR "Image" ILIKE '%\wscript.exe'
    OR "Image" ILIKE '%\cscript.exe'
    OR "Image" ILIKE '%\mshta.exe'
    OR "Image" ILIKE '%\rundll32.exe'
    OR "Image" ILIKE '%\regsvr32.exe'
  )
  AND (
    "CommandLine" ILIKE '%NETLOGON%'
    OR "CommandLine" ILIKE '%SYSVOL%'
    OR "CommandLine" ILIKE '%\scripts\%'
    OR "ParentCommandLine" ILIKE '%NETLOGON%'
    OR "ParentCommandLine" ILIKE '%SYSVOL%'
  )
  AND devicetime > NOW() - 86400000
UNION ALL
-- Detection 3: Logon script registry key modified (Sysmon Event 13)
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip" AS host_ip,
  username,
  QIDNAME(qid) AS event_name,
  "TargetObject" AS target_file,
  "Image" AS initiating_image,
  'Logon Script Registry Key Modified' AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND LONG("EventID") = 13
  AND (
    "TargetObject" ILIKE '%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon%'
    OR "TargetObject" ILIKE '%\SOFTWARE\Policies\Microsoft\Windows\System%'
    OR "TargetObject" ILIKE '%\Environment%'
  )
  AND (
    "TargetObject" ILIKE '%UserInitMprLogonScript%'
    OR "TargetObject" ILIKE '%Userinit%'
  )
  AND devicetime > NOW() - 86400000
UNION ALL
-- Detection 4: AD scriptPath attribute modified (Security Event 5136)
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip" AS host_ip,
  username,
  QIDNAME(qid) AS event_name,
  "ObjectDN" AS target_file,
  "SubjectUserName" AS initiating_image,
  'AD scriptPath Attribute Modified' AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND LONG("EventID") = 5136
  AND "AttributeLDAPDisplayName" = 'scriptPath'
  AND devicetime > NOW() - 86400000
ORDER BY event_time DESC

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (EventID 5136) Sysmon Operational Log (EventID 1, 11, 13) via Windows Log Source QRadar Windows Log Source Type (LOGSOURCETYPEID 12)

Required Tables

events

False Positives

Domain administrators legitimately modifying the scriptPath attribute of user objects in Active Directory during onboarding, offboarding, or Group Policy refresh cycles.
IT automation systems (SCCM, Intune, or custom deployment scripts) that create or update login scripts in NETLOGON or SYSVOL as part of routine software distribution.
Security tools or endpoint agents that modify Winlogon registry keys during installation or updates, triggering Sysmon Event 13 on the registry path.
DC replication of legitimate SYSVOL content creating Sysmon file events on replica domain controllers.

Sumo Logic CSE

sql

// Detection 1: Script file created in NETLOGON/SYSVOL (Sysmon Event 11)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "11"
| where TargetFilename matches "*\\NETLOGON\\*"
  OR TargetFilename matches "*\\SYSVOL\\*"
  OR TargetFilename matches "*\\scripts\\*"
| where TargetFilename matches "*.bat"
  OR TargetFilename matches "*.cmd"
  OR TargetFilename matches "*.ps1"
  OR TargetFilename matches "*.vbs"
  OR TargetFilename matches "*.js"
  OR TargetFilename matches "*.wsf"
  OR TargetFilename matches "*.hta"
| fields _messagetime, Computer, User, Image, CommandLine, TargetFilename
| "Script File Created in NETLOGON/SYSVOL" as DetectionType

// Detection 2: Suspicious process spawned from logon script path (Sysmon Event 1)
// Run as separate query and union results
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "1"
| where (ParentImage matches "*\\userinit.exe" OR ParentImage matches "*\\explorer.exe")
| where Image matches "*\\cmd.exe"
  OR Image matches "*\\powershell.exe"
  OR Image matches "*\\pwsh.exe"
  OR Image matches "*\\wscript.exe"
  OR Image matches "*\\cscript.exe"
  OR Image matches "*\\mshta.exe"
  OR Image matches "*\\rundll32.exe"
  OR Image matches "*\\regsvr32.exe"
| where CommandLine matches "*NETLOGON*"
  OR CommandLine matches "*SYSVOL*"
  OR CommandLine matches "*\\scripts\\*"
  OR ParentCommandLine matches "*NETLOGON*"
  OR ParentCommandLine matches "*SYSVOL*"
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
| "Suspicious Logon Script Process Execution" as DetectionType

// Detection 3: Registry logon script key modified (Sysmon Event 13)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "13"
| where TargetObject matches "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*"
  OR TargetObject matches "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System*"
  OR TargetObject matches "*\\Environment*"
| where TargetObject matches "*UserInitMprLogonScript*"
  OR TargetObject matches "*Userinit*"
| fields _messagetime, Computer, User, Image, CommandLine, TargetObject, Details
| "Logon Script Registry Key Modified" as DetectionType

// Detection 4: AD scriptPath attribute modified (Security Event 5136)
(_sourceCategory="windows/security" OR _sourceCategory="WinEventLog/Security")
| where EventID = "5136"
| where AttributeLDAPDisplayName = "scriptPath"
| fields _messagetime, Computer, SubjectUserName, ObjectDN, AttributeLDAPDisplayName, AttributeValue
| "AD scriptPath Attribute Modified" as DetectionType

high severity high confidence

Data Sources

Sysmon Operational Event Logs (EventID 1, 11, 13) via Sumo Logic Windows collector Windows Security Event Log (EventID 5136) via Sumo Logic Windows collector Sumo Logic Cloud SIEM Enterprise (CSE) normalized Windows events

Required Tables

windows/sysmon WinEventLog/Sysmon windows/security WinEventLog/Security

False Positives

Group Policy administrators updating login scripts deployed via GPO to NETLOGON or SYSVOL shares as part of quarterly policy refresh cycles.
Legitimate software installations or updates that modify the Userinit registry key as part of their installer logic (rare but occurs with legacy enterprise software).
Security or identity management tools that modify user AD attributes including scriptPath as part of automated provisioning workflows.
Domain controller SYSVOL DFS-R replication creating Sysmon file events on all domain controllers when any script is updated on the primary DC.

Google Chronicle / SecOps

yaral

rule t1037_003_network_logon_script {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1037.003 Network Logon Script persistence via script file creation in NETLOGON/SYSVOL, suspicious interpreter processes spawned at logon, and registry modifications to logon script keys."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1037.003"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1037/003/"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1037/003/"
    version = "1.0"
    created = "2026-04-16"

  events:
    // Detection variant A: Script file creation in NETLOGON/SYSVOL
    (
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e1.target.file.full_path, `(?i)\\(NETLOGON|SYSVOL|scripts)\\`) nocase
      )
      and (
        re.regex($e1.target.file.full_path, `(?i)\.(bat|cmd|ps1|vbs|js|wsf|hta)$`) nocase
      )
    )
    or
    // Detection variant B: Suspicious process spawned from logon script host referencing NETLOGON/SYSVOL
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)\\(userinit|explorer)\.exe$`) nocase
      )
      and (
        re.regex($e1.target.process.file.full_path, `(?i)\\(cmd|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)\.exe$`) nocase
      )
      and (
        re.regex($e1.target.process.command_line, `(?i)(NETLOGON|SYSVOL|\\scripts\\)`) nocase
        or re.regex($e1.principal.process.command_line, `(?i)(NETLOGON|SYSVOL|\\scripts\\)`) nocase
      )
    )
    or
    // Detection variant C: Logon script registry key modified
    (
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e1.target.registry.registry_key, `(?i)SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon`) nocase
        or re.regex($e1.target.registry.registry_key, `(?i)SOFTWARE\\Policies\\Microsoft\\Windows\\System`) nocase
        or re.regex($e1.target.registry.registry_key, `(?i)\\Environment`) nocase
      )
      and (
        re.regex($e1.target.registry.registry_value_name, `(?i)(UserInitMprLogonScript|Userinit|Scripts)`) nocase
      )
    )
    or
    // Detection variant D: AD scriptPath attribute modification (via Windows Security Event 5136)
    (
      $e1.metadata.event_type = "USER_CHANGE"
      and $e1.metadata.product_event_type = "5136"
      and re.regex($e1.additional.fields["AttributeLDAPDisplayName"], `(?i)scriptPath`) nocase
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle UDM Events (FILE_CREATION, PROCESS_LAUNCH, REGISTRY_MODIFICATION, USER_CHANGE) Windows Endpoint telemetry via Chronicle forwarder or Microsoft Defender for Endpoint connector Active Directory / Microsoft Entra ID audit logs via Chronicle ingestion

Required Tables

udm_events (FILE_CREATION) udm_events (PROCESS_LAUNCH) udm_events (REGISTRY_MODIFICATION) udm_events (USER_CHANGE)

False Positives

Legitimate domain administrators modifying user scriptPath attributes via Active Directory Users and Computers or PowerShell AD cmdlets during user provisioning.
Group Policy management operations that update scripts in NETLOGON/SYSVOL shares as part of routine policy deployment or refresh, generating FILE_CREATION events on domain controllers.
Enterprise endpoint management software (SCCM, Intune) modifying Winlogon registry keys during agent installation or configuration pushes.
SYSVOL DFS replication that propagates legitimate script updates to replica domain controllers, creating FILE_CREATION UDM events across multiple hosts simultaneously.

CrowdStrike LogScale (CQL)

cql

// Detection 1: Script file created/written in NETLOGON/SYSVOL paths
#event_simpleName = "PeFileWritten" OR #event_simpleName = "NewExecutableWritten"
| TargetFilename = /(?i)\\(NETLOGON|SYSVOL|scripts)\\/
| TargetFilename = /(?i)\.(bat|cmd|ps1|vbs|js|wsf|hta)$/
| "Script File in NETLOGON/SYSVOL" as DetectionType
| table([_timereceived, ComputerName, UserName, TargetFilename, FilePath, SHA256HashData, DetectionType])

// Detection 2: Suspicious interpreter spawned by userinit/explorer with logon script path references
// Run as separate query
#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = /(?i)^(userinit|explorer)\.exe$/
| ImageFileName = /(?i)\\(cmd|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)\.exe$/
| CommandLine = /(?i)(NETLOGON|SYSVOL|\\scripts\\)/
  OR ParentCommandLine = /(?i)(NETLOGON|SYSVOL|\\scripts\\)/
| "Suspicious Logon Script Interpreter Process" as DetectionType
| table([_timereceived, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, TargetProcessId, DetectionType])

// Detection 3: Registry modifications to logon script keys
#event_simpleName = "RegValueUpdate" OR #event_simpleName = "RegValueCreate"
| TargetObject = /(?i)SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon/
  OR TargetObject = /(?i)SOFTWARE\\Policies\\Microsoft\\Windows\\System/
  OR TargetObject = /(?i)\\Environment/
| TargetObject = /(?i)(UserInitMprLogonScript|Userinit|Scripts)/
| "Logon Script Registry Key Modified" as DetectionType
| table([_timereceived, ComputerName, UserName, TargetObject, RegStringValue, ImageFileName, CommandLine, DetectionType])

// Aggregate summary across all detection types (combine above with union pattern)
// Full unified hunting query:
(
  (
    #event_simpleName = "PeFileWritten" OR #event_simpleName = "NewExecutableWritten"
    | TargetFilename = /(?i)\\(NETLOGON|SYSVOL|scripts)\\/
    | TargetFilename = /(?i)\.(bat|cmd|ps1|vbs|js|wsf|hta)$/
    | "Script File in NETLOGON/SYSVOL" as DetectionType
    | rename(TargetFilename, as=Indicator)
  )
  union
  (
    #event_simpleName = "ProcessRollup2"
    | ParentBaseFileName = /(?i)^(userinit|explorer)\.exe$/
    | ImageFileName = /(?i)\\(cmd|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)\.exe$/
    | CommandLine = /(?i)(NETLOGON|SYSVOL|\\scripts\\)/
    | "Suspicious Logon Script Interpreter" as DetectionType
    | rename(CommandLine, as=Indicator)
  )
  union
  (
    #event_simpleName = /^(RegValueUpdate|RegValueCreate)$/
    | TargetObject = /(?i)(Winlogon|Environment|Windows\\System)/
    | TargetObject = /(?i)(UserInitMprLogonScript|Userinit)/
    | "Logon Script Registry Modified" as DetectionType
    | rename(TargetObject, as=Indicator)
  )
)
| groupBy([ComputerName, UserName, DetectionType], function=count(as=EventCount))
| sort(EventCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2) CrowdStrike Falcon Endpoint Protection (PeFileWritten, NewExecutableWritten) CrowdStrike Falcon Endpoint Protection (RegValueUpdate, RegValueCreate) CrowdStrike Falcon Event Stream (event_simpleName field)

Required Tables

falcon:processrollup2 falcon:pefilewritten falcon:newexecutablewritten falcon:regvalueupdate falcon:regvaluecreate

False Positives

Legitimate Group Policy or domain administration workflows where IT staff deploy updated login scripts to NETLOGON/SYSVOL, triggering PeFileWritten events on domain controllers.
Software installers or endpoint management agents (e.g., CrowdStrike Falcon sensor updates, SCCM client) that modify Winlogon registry keys during installation, generating RegValueUpdate events.
PowerShell-based management scripts legitimately launched by IT tooling through userinit.exe or explorer.exe at session initialization that happen to reference SYSVOL paths for configuration loading.
SYSVOL DFS-R replication processes propagating legitimate administrator-sanctioned script changes to all domain controllers in the forest.

Last updated: 2026-04-16 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1037.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1037Boot or Logon Initialization Scripts

Related Sub-techniques

T1037.001Logon Script (Windows)T1037.002Login Hook T1037.004RC Scripts T1037.005Startup Items

Network Logon Script

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections