T1037.003 Sumo Logic CSE · Sumo

Detect Network Logon Script in Sumo Logic CSE

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1037 Boot or Logon Initialization Scripts
Sub-technique
T1037.003 Network Logon Script
Canonical reference
https://attack.mitre.org/techniques/T1037/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// Detection 1: Script file created in NETLOGON/SYSVOL (Sysmon Event 11)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "11"
| where TargetFilename matches "*\\NETLOGON\\*"
  OR TargetFilename matches "*\\SYSVOL\\*"
  OR TargetFilename matches "*\\scripts\\*"
| where TargetFilename matches "*.bat"
  OR TargetFilename matches "*.cmd"
  OR TargetFilename matches "*.ps1"
  OR TargetFilename matches "*.vbs"
  OR TargetFilename matches "*.js"
  OR TargetFilename matches "*.wsf"
  OR TargetFilename matches "*.hta"
| fields _messagetime, Computer, User, Image, CommandLine, TargetFilename
| "Script File Created in NETLOGON/SYSVOL" as DetectionType

// Detection 2: Suspicious process spawned from logon script path (Sysmon Event 1)
// Run as separate query and union results
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "1"
| where (ParentImage matches "*\\userinit.exe" OR ParentImage matches "*\\explorer.exe")
| where Image matches "*\\cmd.exe"
  OR Image matches "*\\powershell.exe"
  OR Image matches "*\\pwsh.exe"
  OR Image matches "*\\wscript.exe"
  OR Image matches "*\\cscript.exe"
  OR Image matches "*\\mshta.exe"
  OR Image matches "*\\rundll32.exe"
  OR Image matches "*\\regsvr32.exe"
| where CommandLine matches "*NETLOGON*"
  OR CommandLine matches "*SYSVOL*"
  OR CommandLine matches "*\\scripts\\*"
  OR ParentCommandLine matches "*NETLOGON*"
  OR ParentCommandLine matches "*SYSVOL*"
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
| "Suspicious Logon Script Process Execution" as DetectionType

// Detection 3: Registry logon script key modified (Sysmon Event 13)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "13"
| where TargetObject matches "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*"
  OR TargetObject matches "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System*"
  OR TargetObject matches "*\\Environment*"
| where TargetObject matches "*UserInitMprLogonScript*"
  OR TargetObject matches "*Userinit*"
| fields _messagetime, Computer, User, Image, CommandLine, TargetObject, Details
| "Logon Script Registry Key Modified" as DetectionType

// Detection 4: AD scriptPath attribute modified (Security Event 5136)
(_sourceCategory="windows/security" OR _sourceCategory="WinEventLog/Security")
| where EventID = "5136"
| where AttributeLDAPDisplayName = "scriptPath"
| fields _messagetime, Computer, SubjectUserName, ObjectDN, AttributeLDAPDisplayName, AttributeValue
| "AD scriptPath Attribute Modified" as DetectionType
high severity high confidence

Detects T1037.003 Network Logon Script persistence across four detection vectors using Sumo Logic CSE normalized fields: (1) Sysmon 11 script file creation in NETLOGON/SYSVOL paths with suspicious extensions, (2) Sysmon 1 suspicious interpreter process spawned from userinit or explorer referencing logon script paths, (3) Sysmon 13 registry modifications to Winlogon/Environment logon script keys, and (4) Windows Security 5136 for AD user object scriptPath attribute changes. Each sub-detection should be run independently and results aggregated in a dashboard or scheduled search.

Data Sources

Sysmon Operational Event Logs (EventID 1, 11, 13) via Sumo Logic Windows collectorWindows Security Event Log (EventID 5136) via Sumo Logic Windows collectorSumo Logic Cloud SIEM Enterprise (CSE) normalized Windows events

Required Tables

windows/sysmonWinEventLog/Sysmonwindows/securityWinEventLog/Security

False Positives & Tuning

  • Group Policy administrators updating login scripts deployed via GPO to NETLOGON or SYSVOL shares as part of quarterly policy refresh cycles.
  • Legitimate software installations or updates that modify the Userinit registry key as part of their installer logic (rare but occurs with legacy enterprise software).
  • Security or identity management tools that modify user AD attributes including scriptPath as part of automated provisioning workflows.
  • Domain controller SYSVOL DFS-R replication creating Sysmon file events on all domain controllers when any script is updated on the primary DC.
Download portable Sigma rule (.yml)

Other platforms for T1037.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set AD User ScriptPath Attribute via PowerShell

    Expected signal: Security Event ID 5136 on Domain Controller: Directory Service Object Modification with AttributeLDAPDisplayName=scriptPath and the new AttributeValue. AuditLogs (Azure AD) OperationName='Update user' with modifiedProperties containing scriptPath. PowerShell ScriptBlock Log Event ID 4104 with Set-ADUser command.

  2. Test 2Create Malicious Script in NETLOGON Share

    Expected signal: Sysmon Event ID 11 (File Create) on the domain controller: TargetFilename containing \NETLOGON\test_logon_script.bat, Image=powershell.exe. Security Event ID 4663 (if file auditing enabled on NETLOGON share): Object Access with ObjectName=\NETLOGON\test_logon_script.bat.

  3. Test 3Set UserInitMprLogonScript Registry Value for Persistence

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKCU\Environment\UserInitMprLogonScript, Details=C:\Windows\Temp\test_logon.bat, Image=powershell.exe. Sysmon Event ID 11 (File Create) for the test_logon.bat script file creation. On next logon: Sysmon Event ID 1 process creation for cmd.exe executing the .bat file via userinit.exe.

  4. Test 4Simulate Logon Script Execution via userinit.exe Command Chain

    Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, CommandLine containing NETLOGON path reference, ParentImage=powershell.exe (or cmd.exe in nested execution). Security Event ID 4688 (if command line auditing enabled): NewProcessName=cmd.exe with CommandLine containing NETLOGON. Sysmon Event ID 11: file creation for test output files.

Last updated: 2026-04-16 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1037.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1037Boot or Logon Initialization Scripts

Related Sub-techniques

T1037.001Logon Script (Windows)T1037.002Login HookT1037.004RC ScriptsT1037.005Startup Items

Related Techniques

T1037Boot or Logon Initialization ScriptsT1037.001Logon Script (Windows)T1037.002Login HookT1053.005Scheduled TaskT1078.002Domain AccountsT1484.001Group Policy ModificationT1059.001PowerShellT1059.003Windows Command ShellT1059.005Visual BasicT1105Ingress Tool TransferT1550.003Pass the Ticket

Same Tactic: Persistence

Popular Detections