Detect Boot or Logon Initialization Scripts in IBM QRadar
Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. On Windows, logon scripts can be set via the UserInitMprLogonScript registry value under HKCU\Environment, or via Group Policy. On Linux and macOS, adversaries target RC scripts (/etc/rc.d/, /etc/init.d/, /etc/rc.local), systemd unit files, login hooks, and startup items. These mechanisms execute with elevated privileges and survive reboots, making them effective persistence mechanisms. Threat groups including APT41, APT29, Rocke, and UNC3886 have all leveraged initialization script abuse, targeting both enterprise endpoints and network appliances.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Canonical reference
- https://attack.mitre.org/techniques/T1037/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
logsourcename(logSourceId) AS "Log Source",
username AS "Username",
hostname AS "Hostname",
sourceip AS "Source IP",
QIDNAME(qid) AS "Event Name",
CATEGORYNAME(category) AS "Category",
UTF8(payload) AS "Raw Payload",
CASE
WHEN UTF8(payload) ILIKE '%UserInitMprLogonScript%' THEN 'Windows-LogonScript-Registry'
WHEN UTF8(payload) ILIKE '%GroupPolicy%' OR UTF8(payload) ILIKE '%SYSVOL%' OR UTF8(payload) ILIKE '%netlogon%' THEN 'Windows-StartupScript-FileCreate'
WHEN UTF8(payload) ILIKE '%/etc/init.d%' OR UTF8(payload) ILIKE '%/etc/rc.d%' OR UTF8(payload) ILIKE '%/etc/rc.local%' OR UTF8(payload) ILIKE '%/etc/init/%' THEN 'Linux-InitScript-Activity'
WHEN UTF8(payload) ILIKE '%LoginHook%' OR UTF8(payload) ILIKE '%LogoutHook%' THEN 'macOS-LoginHook-Configured'
ELSE 'Unknown'
END AS "Detection Branch"
FROM events
WHERE
starttime > NOW() - 86400000
AND (
-- Branch 1: Windows registry logon script persistence
(
CATEGORYNAME(category) ILIKE '%registry%'
AND UTF8(payload) ILIKE '%UserInitMprLogonScript%'
AND UTF8(payload) ILIKE '%\Environment%'
)
OR
-- Branch 2: Script file written to Group Policy / SYSVOL / netlogon
(
CATEGORYNAME(category) ILIKE '%file%'
AND (
UTF8(payload) ILIKE '%GroupPolicy%'
OR UTF8(payload) ILIKE '%SYSVOL%'
OR UTF8(payload) ILIKE '%netlogon%'
)
AND (
UTF8(payload) ILIKE '%.bat%'
OR UTF8(payload) ILIKE '%.cmd%'
OR UTF8(payload) ILIKE '%.ps1%'
OR UTF8(payload) ILIKE '%.vbs%'
OR UTF8(payload) ILIKE '%.js%'
OR UTF8(payload) ILIKE '%.wsf%'
)
)
OR
-- Branch 3: Linux init/rc script creation or modification
(
LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Universal DSM', 'Syslog')
AND (
UTF8(payload) ILIKE '%/etc/init.d%'
OR UTF8(payload) ILIKE '%/etc/rc.d%'
OR UTF8(payload) ILIKE '%/etc/rc.local%'
OR UTF8(payload) ILIKE '%/etc/init/%'
OR UTF8(payload) ILIKE '%/etc/rc0.d%'
OR UTF8(payload) ILIKE '%/etc/rc1.d%'
OR UTF8(payload) ILIKE '%/etc/rc2.d%'
OR UTF8(payload) ILIKE '%/etc/rc3.d%'
OR UTF8(payload) ILIKE '%/etc/rc4.d%'
OR UTF8(payload) ILIKE '%/etc/rc5.d%'
OR UTF8(payload) ILIKE '%/etc/rc6.d%'
)
AND (
UTF8(payload) ILIKE '%chmod%'
OR UTF8(payload) ILIKE '% cp %'
OR UTF8(payload) ILIKE '% mv %'
OR UTF8(payload) ILIKE '%tee %'
OR UTF8(payload) ILIKE '%install %'
OR UTF8(payload) ILIKE '% echo %'
)
)
OR
-- Branch 4: macOS login hook via defaults write
(
LOGSOURCETYPENAME(devicetype) IN ('Apple Mac OS X', 'Universal DSM', 'Syslog')
AND (
UTF8(payload) ILIKE '%defaults write%'
OR UTF8(payload) ILIKE '%defaults%LoginHook%'
)
AND (
UTF8(payload) ILIKE '%LoginHook%'
OR UTF8(payload) ILIKE '%LogoutHook%'
)
)
)
ORDER BY devicetime DESC
LIMIT 500Detects T1037 Boot or Logon Initialization Script abuse across Windows, Linux, and macOS. Searches QRadar event payloads for indicators of registry-based Windows logon script persistence (UserInitMprLogonScript), script drops into Group Policy/SYSVOL/netlogon directories, Linux RC and init.d script manipulation via common shell commands, and macOS login hook configuration via the 'defaults write' command. Filters by log source type to reduce cross-platform false positives.
Data Sources
Required Tables
False Positives & Tuning
- Domain administrators legitimately modifying SYSVOL or netlogon logon scripts for Group Policy software deployment — correlate against change management tickets and known admin accounts.
- Package managers (apt, yum, dnf, rpm) writing init scripts to /etc/init.d/ or /etc/rc.d/ during software installation on Linux servers — baseline package manager activity and exclude known package manager binary paths.
- macOS enterprise MDM platforms (Jamf Pro, Microsoft Intune for Mac) that configure login/logout hooks for policy enforcement — whitelist known MDM agent processes and management server IP ranges.
Other platforms for T1037
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Logon Script via UserInitMprLogonScript Registry
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKCU\Environment\UserInitMprLogonScript, Details=%TEMP%\argus-test-logon.bat, Image=reg.exe. Sysmon Event ID 11 (File Create): TargetFilename=%TEMP%\argus-test-logon.bat. DeviceRegistryEvents in MDE will show ActionType=RegistryValueSet with RegistryValueName=UserInitMprLogonScript.
- Test 2Linux RC Script Persistence via init.d
Expected signal: Linux auditd SYSCALL=openat/write with name=/etc/init.d/argus-test and exe=bash or exe=tee. Syslog entries for update-rc.d execution. If auditd rule -w /etc/init.d -p wa -k init_script_write is in place, ausearch will return the creation event with auid, uid, pid, and full command context. File creation timestamp visible via stat /etc/init.d/argus-test.
- Test 3macOS Login Hook Configuration
Expected signal: Sysmon for macOS Event ID 1 (Process Create): Image=defaults, CommandLine contains 'write com.apple.loginwindow LoginHook'. File create event for /tmp/argus-loginhook.sh. MDE DeviceProcessEvents will show FileName=defaults with ProcessCommandLine referencing LoginHook. On execution at next login: launchd spawning the hook script as parent.
- Test 4Windows Network Logon Script via Group Policy INI
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename in %SYSTEMROOT%\System32\GroupPolicy\User\Scripts\Logon\ with .bat extension. DeviceFileEvents ActionType=FileCreated for both the script and scripts.ini. Security Event ID 4688 (cmd.exe executing mkdir and echo). On next logon: userinit.exe spawning the script from the GroupPolicy Scripts directory.
References (10)
- https://attack.mitre.org/techniques/T1037/
- https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
- https://www.mandiant.com/resources/blog/unc3524-eye-spy-email
- https://blog.netlab.360.com/rotajakiro-a-long-live-secret-backdoor-with-a-suspicious-connection-to-oa-system/
- https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence
- https://support.apple.com/guide/deployment/use-login-and-logout-hooks-dep07b92494/web
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb742376(v=technet.10)
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
Unlock Pro Content
Get the full detection package for T1037 including response playbook, investigation guide, and atomic red team tests.