Detect Network Logon Script in IBM QRadar
Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.003 Network Logon Script
- Canonical reference
- https://attack.mitre.org/techniques/T1037/003/
QRadar Detection Query
-- Detection 1: Script file created/modified in NETLOGON/SYSVOL (Sysmon Event 11)
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"sourceip" AS host_ip,
username,
QIDNAME(qid) AS event_name,
"TargetFilename" AS target_file,
"Image" AS initiating_image,
'Script File in NETLOGON/SYSVOL' AS detection_type
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) = 12 -- Windows
AND QIDNAME(qid) LIKE '%Sysmon%'
AND LONG("EventID") = 11
AND (
"TargetFilename" ILIKE '%\NETLOGON\%'
OR "TargetFilename" ILIKE '%\SYSVOL\%'
OR "TargetFilename" ILIKE '%\scripts\%'
)
AND (
"TargetFilename" ILIKE '%.bat'
OR "TargetFilename" ILIKE '%.cmd'
OR "TargetFilename" ILIKE '%.ps1'
OR "TargetFilename" ILIKE '%.vbs'
OR "TargetFilename" ILIKE '%.js'
OR "TargetFilename" ILIKE '%.wsf'
OR "TargetFilename" ILIKE '%.hta'
)
AND devicetime > NOW() - 86400000
UNION ALL
-- Detection 2: Suspicious process spawned from logon script path (Sysmon Event 1)
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"sourceip" AS host_ip,
username,
QIDNAME(qid) AS event_name,
"CommandLine" AS target_file,
"Image" AS initiating_image,
'Suspicious Logon Script Process Execution' AS detection_type
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) = 12
AND QIDNAME(qid) LIKE '%Sysmon%'
AND LONG("EventID") = 1
AND (
"ParentImage" ILIKE '%\userinit.exe'
OR "ParentImage" ILIKE '%\explorer.exe'
)
AND (
"Image" ILIKE '%\cmd.exe'
OR "Image" ILIKE '%\powershell.exe'
OR "Image" ILIKE '%\wscript.exe'
OR "Image" ILIKE '%\cscript.exe'
OR "Image" ILIKE '%\mshta.exe'
OR "Image" ILIKE '%\rundll32.exe'
OR "Image" ILIKE '%\regsvr32.exe'
)
AND (
"CommandLine" ILIKE '%NETLOGON%'
OR "CommandLine" ILIKE '%SYSVOL%'
OR "CommandLine" ILIKE '%\scripts\%'
OR "ParentCommandLine" ILIKE '%NETLOGON%'
OR "ParentCommandLine" ILIKE '%SYSVOL%'
)
AND devicetime > NOW() - 86400000
UNION ALL
-- Detection 3: Logon script registry key modified (Sysmon Event 13)
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"sourceip" AS host_ip,
username,
QIDNAME(qid) AS event_name,
"TargetObject" AS target_file,
"Image" AS initiating_image,
'Logon Script Registry Key Modified' AS detection_type
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) = 12
AND QIDNAME(qid) LIKE '%Sysmon%'
AND LONG("EventID") = 13
AND (
"TargetObject" ILIKE '%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon%'
OR "TargetObject" ILIKE '%\SOFTWARE\Policies\Microsoft\Windows\System%'
OR "TargetObject" ILIKE '%\Environment%'
)
AND (
"TargetObject" ILIKE '%UserInitMprLogonScript%'
OR "TargetObject" ILIKE '%Userinit%'
)
AND devicetime > NOW() - 86400000
UNION ALL
-- Detection 4: AD scriptPath attribute modified (Security Event 5136)
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"sourceip" AS host_ip,
username,
QIDNAME(qid) AS event_name,
"ObjectDN" AS target_file,
"SubjectUserName" AS initiating_image,
'AD scriptPath Attribute Modified' AS detection_type
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) = 12
AND LONG("EventID") = 5136
AND "AttributeLDAPDisplayName" = 'scriptPath'
AND devicetime > NOW() - 86400000
ORDER BY event_time DESCDetects T1037.003 Network Logon Script persistence using four AQL queries unioned together: (1) Sysmon Event 11 for script file creation in NETLOGON/SYSVOL, (2) Sysmon Event 1 for suspicious interpreter processes launched from logon script paths via userinit/explorer, (3) Sysmon Event 13 for registry modifications to Winlogon or Environment keys related to logon scripts, and (4) Windows Security Event 5136 for Active Directory scriptPath attribute modifications on user objects.
Data Sources
Required Tables
False Positives & Tuning
- Domain administrators legitimately modifying the scriptPath attribute of user objects in Active Directory during onboarding, offboarding, or Group Policy refresh cycles.
- IT automation systems (SCCM, Intune, or custom deployment scripts) that create or update login scripts in NETLOGON or SYSVOL as part of routine software distribution.
- Security tools or endpoint agents that modify Winlogon registry keys during installation or updates, triggering Sysmon Event 13 on the registry path.
- DC replication of legitimate SYSVOL content creating Sysmon file events on replica domain controllers.
Other platforms for T1037.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set AD User ScriptPath Attribute via PowerShell
Expected signal: Security Event ID 5136 on Domain Controller: Directory Service Object Modification with AttributeLDAPDisplayName=scriptPath and the new AttributeValue. AuditLogs (Azure AD) OperationName='Update user' with modifiedProperties containing scriptPath. PowerShell ScriptBlock Log Event ID 4104 with Set-ADUser command.
- Test 2Create Malicious Script in NETLOGON Share
Expected signal: Sysmon Event ID 11 (File Create) on the domain controller: TargetFilename containing \NETLOGON\test_logon_script.bat, Image=powershell.exe. Security Event ID 4663 (if file auditing enabled on NETLOGON share): Object Access with ObjectName=\NETLOGON\test_logon_script.bat.
- Test 3Set UserInitMprLogonScript Registry Value for Persistence
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKCU\Environment\UserInitMprLogonScript, Details=C:\Windows\Temp\test_logon.bat, Image=powershell.exe. Sysmon Event ID 11 (File Create) for the test_logon.bat script file creation. On next logon: Sysmon Event ID 1 process creation for cmd.exe executing the .bat file via userinit.exe.
- Test 4Simulate Logon Script Execution via userinit.exe Command Chain
Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, CommandLine containing NETLOGON path reference, ParentImage=powershell.exe (or cmd.exe in nested execution). Security Event ID 4688 (if command line auditing enabled): NewProcessName=cmd.exe with CommandLine containing NETLOGON. Sysmon Event ID 11: file creation for test output files.
References (8)
- https://attack.mitre.org/techniques/T1037/003/
- https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789190(v=ws.11)
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.003/T1037.003.md
- https://adsecurity.org/?p=2716
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5136
- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/active-directory-replication-status-tool
Unlock Pro Content
Get the full detection package for T1037.003 including response playbook, investigation guide, and atomic red team tests.