Detect Network Logon Script in Microsoft Sentinel
Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.003 Network Logon Script
- Canonical reference
- https://attack.mitre.org/techniques/T1037/003/
KQL Detection Query
let SuspiciousScriptExtensions = dynamic([".bat", ".cmd", ".ps1", ".vbs", ".js", ".wsf", ".hta"]);
let KnownLogonScriptPaths = dynamic(["\\NETLOGON\\", "\\SYSVOL\\", "\\scripts\\"]);
// Detection 1: AD User object ScriptPath attribute modification via LDAP/AD changes
let ADScriptChange = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any ("Update user", "Modify user")
| where TargetResources has "scriptPath"
| extend ModifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend ChangedProperties = tostring(TargetResources[0].modifiedProperties)
| project TimeGenerated, OperationName, ModifiedBy, TargetUser, ChangedProperties, CorrelationId
| extend DetectionType = "AD ScriptPath Attribute Modified";
// Detection 2: Script file created or modified in NETLOGON/SYSVOL share paths
let ScriptFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (KnownLogonScriptPaths)
| where FileName has_any (SuspiciousScriptExtensions)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| extend DetectionType = "Script File Created/Modified in NETLOGON/SYSVOL";
// Detection 3: Suspicious process spawned from logon script host processes at logon
let LogonScriptExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("userinit.exe", "explorer.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe")
| where ProcessCommandLine has_any (KnownLogonScriptPaths) or
(InitiatingProcessCommandLine has_any (KnownLogonScriptPaths))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "Suspicious Process Spawned from Logon Script Path";
// Detection 4: Registry key for logon script set or modified
let RegistryLogonScript = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"\\SOFTWARE\\Policies\\Microsoft\\Windows\\System",
"\\Environment"
)
| where RegistryValueName in~ ("UserInitMprLogonScript", "Userinit", "Scripts")
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName,
RegistryValueData, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "Logon Script Registry Key Modified";
// Union all detections
ADScriptChange
| project-away ModifiedBy, TargetUser, ChangedProperties, CorrelationId
| union
(ScriptFileCreation | project-away ActionType, SHA256),
(LogonScriptExecution | project-away FileName),
(RegistryLogonScript | project-away RegistryKey, RegistryValueName, RegistryValueData, ActionType)
| sort by TimeGenerated descDetects network logon script persistence via four complementary signals: (1) Active Directory user object scriptPath attribute modification via Azure AD Audit Logs, (2) script file creation or modification in NETLOGON/SYSVOL share paths via DeviceFileEvents, (3) suspicious child processes spawned from logon script host processes (userinit.exe, explorer.exe) with paths referencing NETLOGON/SYSVOL, and (4) registry key modifications to known logon script registry values (UserInitMprLogonScript, Userinit). Together these cover the key stages of network logon script abuse: setting the script, staging it on a share, and observing its execution.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators legitimately deploying or updating logon scripts via Group Policy or AD Users and Computers for software deployment or environment configuration
- SCCM/Intune or other endpoint management platforms that modify SYSVOL/NETLOGON share contents as part of normal GPO operations
- Automated provisioning systems that set the scriptPath attribute on new user accounts during onboarding workflows
- Domain controllers replicating SYSVOL content via DFS-R or FRS, which generates file creation/modification events in the SYSVOL path
Other platforms for T1037.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set AD User ScriptPath Attribute via PowerShell
Expected signal: Security Event ID 5136 on Domain Controller: Directory Service Object Modification with AttributeLDAPDisplayName=scriptPath and the new AttributeValue. AuditLogs (Azure AD) OperationName='Update user' with modifiedProperties containing scriptPath. PowerShell ScriptBlock Log Event ID 4104 with Set-ADUser command.
- Test 2Create Malicious Script in NETLOGON Share
Expected signal: Sysmon Event ID 11 (File Create) on the domain controller: TargetFilename containing \NETLOGON\test_logon_script.bat, Image=powershell.exe. Security Event ID 4663 (if file auditing enabled on NETLOGON share): Object Access with ObjectName=\NETLOGON\test_logon_script.bat.
- Test 3Set UserInitMprLogonScript Registry Value for Persistence
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKCU\Environment\UserInitMprLogonScript, Details=C:\Windows\Temp\test_logon.bat, Image=powershell.exe. Sysmon Event ID 11 (File Create) for the test_logon.bat script file creation. On next logon: Sysmon Event ID 1 process creation for cmd.exe executing the .bat file via userinit.exe.
- Test 4Simulate Logon Script Execution via userinit.exe Command Chain
Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, CommandLine containing NETLOGON path reference, ParentImage=powershell.exe (or cmd.exe in nested execution). Security Event ID 4688 (if command line auditing enabled): NewProcessName=cmd.exe with CommandLine containing NETLOGON. Sysmon Event ID 11: file creation for test output files.
References (8)
- https://attack.mitre.org/techniques/T1037/003/
- https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789190(v=ws.11)
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.003/T1037.003.md
- https://adsecurity.org/?p=2716
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5136
- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/active-directory-replication-status-tool
Unlock Pro Content
Get the full detection package for T1037.003 including response playbook, investigation guide, and atomic red team tests.