T1037 Google Chronicle · YARA-L

Detect Boot or Logon Initialization Scripts in Google Chronicle

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. On Windows, logon scripts can be set via the UserInitMprLogonScript registry value under HKCU\Environment, or via Group Policy. On Linux and macOS, adversaries target RC scripts (/etc/rc.d/, /etc/init.d/, /etc/rc.local), systemd unit files, login hooks, and startup items. These mechanisms execute with elevated privileges and survive reboots, making them effective persistence mechanisms. Threat groups including APT41, APT29, Rocke, and UNC3886 have all leveraged initialization script abuse, targeting both enterprise endpoints and network appliances.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1037 Boot or Logon Initialization Scripts
Canonical reference
https://attack.mitre.org/techniques/T1037/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1037_boot_logon_initialization_scripts {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1037 Boot or Logon Initialization Script persistence on Windows, Linux, and macOS"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1037"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1037/"
    reference = "https://attack.mitre.org/techniques/T1037/"
    created = "2026-04-16"
    version = "1.0"

  events:
    (
      // Branch 1: Windows registry logon script persistence via UserInitMprLogonScript
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and (
          re.regex($e.target.registry.registry_key, `(?i).*\\Environment.*`)
          or re.regex($e.target.registry.registry_value_name, `(?i)UserInitMprLogonScript`)
        )
        and re.regex($e.target.registry.registry_key, `(?i)UserInitMprLogonScript|\\Environment`)
      )
      or
      // Branch 2: Script file dropped into Group Policy, SYSVOL, or netlogon directories
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i).*(GroupPolicy|SYSVOL|netlogon).*`)
        and re.regex($e.target.file.full_path, `(?i)\.(bat|cmd|vbs|ps1|js|wsf)$`)
      )
      or
      // Branch 3: Linux init/rc script created or modified
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)/etc/(rc\.d|init\.d|rc\.local|init/|rc[0-6]\.d)/.*`)
      )
      or
      // Branch 3b: Linux init script file modification event
      (
        $e.metadata.event_type = "FILE_MODIFICATION"
        and re.regex($e.target.file.full_path, `(?i)/etc/(rc\.d|init\.d|rc\.local|init/|rc[0-6]\.d)/.*`)
      )
      or
      // Branch 4: macOS login hook configured via defaults write command
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.principal.process.file.full_path, `(?i).*\/defaults$`)
          or $e.principal.process.file.basename = "defaults"
        )
        and re.regex($e.target.process.command_line, `(?i).*(LoginHook|LogoutHook).*`)
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.metadata.event_type = "REGISTRY_MODIFICATION", 85,
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i).*(GroupPolicy|SYSVOL|netlogon).*`), 80,
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), 75,
      if($e.metadata.event_type = "FILE_MODIFICATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), 70,
      if($e.metadata.event_type = "PROCESS_LAUNCH" and re.regex($e.target.process.command_line, `(?i).*(LoginHook|LogoutHook).*`), 80, 50)))))
    )
    $detection_branch = if($e.metadata.event_type = "REGISTRY_MODIFICATION", "Windows-LogonScript-Registry",
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i).*(GroupPolicy|SYSVOL|netlogon).*`), "Windows-StartupScript-FileCreate",
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), "Linux-InitScript-FileCreate",
      if($e.metadata.event_type = "FILE_MODIFICATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), "Linux-InitScript-FileModify",
      if($e.metadata.event_type = "PROCESS_LAUNCH", "macOS-LoginHook-Configured", "Unknown")))))    
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $initiating_process = $e.principal.process.file.basename

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1037 Boot or Logon Initialization Script persistence across Windows, Linux, and macOS using UDM event types. Covers four branches: Windows registry modification of UserInitMprLogonScript (REGISTRY_MODIFICATION), script file drops into Group Policy/SYSVOL/netlogon (FILE_CREATION), Linux RC/init.d script creation or modification (FILE_CREATION, FILE_MODIFICATION), and macOS login hook configuration via 'defaults write' (PROCESS_LAUNCH). Risk scoring is outcome-based with per-branch weights. Matches over a 5-minute window per hostname.

Data Sources

Chronicle UDM (Unified Data Model) ingestion from endpoint agentsGoogle Chronicle SIEM with Windows event log forwardingChronicle Linux log ingestion via Bindplane or forwardersChronicle macOS event collection via Endpoint Detection agentsMicrosoft Defender for Endpoint via Chronicle integration

Required Tables

UDM events (REGISTRY_MODIFICATION)UDM events (FILE_CREATION)UDM events (FILE_MODIFICATION)UDM events (PROCESS_LAUNCH)

False Positives & Tuning

  • Group Policy administrators legitimately creating or modifying batch/PowerShell scripts in SYSVOL or netlogon shares for domain-wide software deployment — create reference lists of authorized GPO admin accounts and exclude from rule or reduce risk score.
  • Linux package installation via apt/yum/dnf that adds service init scripts to /etc/init.d/ or /etc/rc.d/ — these should match known package management binary paths (dpkg, rpm, yum) and can be excluded using initiating process filtering.
  • macOS fleet management tools (Jamf Pro, Mosyle, Microsoft Intune) that configure login or logout hooks as part of standard device enrollment and policy enforcement — baseline MDM agent signatures and exclude by principal process identity.
Download portable Sigma rule (.yml)

Other platforms for T1037

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Logon Script via UserInitMprLogonScript Registry

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKCU\Environment\UserInitMprLogonScript, Details=%TEMP%\argus-test-logon.bat, Image=reg.exe. Sysmon Event ID 11 (File Create): TargetFilename=%TEMP%\argus-test-logon.bat. DeviceRegistryEvents in MDE will show ActionType=RegistryValueSet with RegistryValueName=UserInitMprLogonScript.

  2. Test 2Linux RC Script Persistence via init.d

    Expected signal: Linux auditd SYSCALL=openat/write with name=/etc/init.d/argus-test and exe=bash or exe=tee. Syslog entries for update-rc.d execution. If auditd rule -w /etc/init.d -p wa -k init_script_write is in place, ausearch will return the creation event with auid, uid, pid, and full command context. File creation timestamp visible via stat /etc/init.d/argus-test.

  3. Test 3macOS Login Hook Configuration

    Expected signal: Sysmon for macOS Event ID 1 (Process Create): Image=defaults, CommandLine contains 'write com.apple.loginwindow LoginHook'. File create event for /tmp/argus-loginhook.sh. MDE DeviceProcessEvents will show FileName=defaults with ProcessCommandLine referencing LoginHook. On execution at next login: launchd spawning the hook script as parent.

  4. Test 4Windows Network Logon Script via Group Policy INI

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename in %SYSTEMROOT%\System32\GroupPolicy\User\Scripts\Logon\ with .bat extension. DeviceFileEvents ActionType=FileCreated for both the script and scripts.ini. Security Event ID 4688 (cmd.exe executing mkdir and echo). On next logon: userinit.exe spawning the script from the GroupPolicy Scripts directory.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1037 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1037.001Logon Script (Windows)T1037.002Login HookT1037.003Network Logon ScriptT1037.004RC ScriptsT1037.005Startup ItemsT1543Create or Modify System ProcessT1546Event Triggered ExecutionT1053.005Scheduled TaskT1059.004Unix ShellT1222.002Linux and Mac File and Directory Permissions Modification

Same Tactic: Persistence

Popular Detections