T1037 Sumo Logic CSE · Sumo

Detect Boot or Logon Initialization Scripts in Sumo Logic CSE

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. On Windows, logon scripts can be set via the UserInitMprLogonScript registry value under HKCU\Environment, or via Group Policy. On Linux and macOS, adversaries target RC scripts (/etc/rc.d/, /etc/init.d/, /etc/rc.local), systemd unit files, login hooks, and startup items. These mechanisms execute with elevated privileges and survive reboots, making them effective persistence mechanisms. Threat groups including APT41, APT29, Rocke, and UNC3886 have all leveraged initialization script abuse, targeting both enterprise endpoints and network appliances.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1037 Boot or Logon Initialization Scripts
Canonical reference
https://attack.mitre.org/techniques/T1037/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=linux/syslog OR _sourceCategory=linux/auditd OR _sourceCategory=macos/syslog OR _sourceCategory=endpoint*)
| where (
    // Branch 1: Sysmon EventID 13 - Registry Value Set targeting UserInitMprLogonScript
    (EventID = "13" AND TargetObject matches "(?i).*\\Environment.*UserInitMprLogonScript.*")
    OR
    // Branch 1b: Windows Security Event 4657 - Registry modification
    (EventID = "4657" AND ObjectName matches "(?i).*\\Environment.*UserInitMprLogonScript.*")
    OR
    // Branch 2: Sysmon EventID 11 - File created in GroupPolicy/SYSVOL/netlogon with script extension
    (EventID = "11" AND TargetFilename matches "(?i).*(\\GroupPolicy\\|\\SYSVOL\\|\\netlogon\\).*" AND TargetFilename matches "(?i).*\.(bat|cmd|vbs|ps1|js|wsf)$")
    OR
    // Branch 3: Linux syslog - write activity to init script directories
    (_sourceCategory matches "(?i).*linux.*" AND (
      _raw matches "(?i).*/etc/(rc\.d|init\.d|rc\.local|init/).*"
    ) AND (
      _raw matches "(?i).*(chmod|cp|mv|tee|install|echo|write).*"
    ))
    OR
    // Branch 3b: Linux auditd - syscall writes to init paths
    (_sourceCategory matches "(?i).*auditd.*" AND (
      name matches "(?i)/etc/(init\.d|rc\.d|rc\.local|init/).*"
    ) AND (
      syscall matches "(write|open|rename|truncate|creat)"
    ))
    OR
    // Branch 4: macOS defaults write LoginHook
    (process_name = "defaults" AND _raw matches "(?i).*(LoginHook|LogoutHook).*")
    OR
    // Branch 4b: Sysmon EventID 1 - macOS defaults process launch
    (EventID = "1" AND Image matches "(?i).*defaults$" AND CommandLine matches "(?i).*(LoginHook|LogoutHook).*")
  )
| eval detection_branch = if(EventID = "13" AND TargetObject matches "(?i).*UserInitMprLogonScript.*", "Windows-LogonScript-Registry",
    if(EventID = "4657" AND ObjectName matches "(?i).*UserInitMprLogonScript.*", "Windows-LogonScript-Registry",
    if(EventID = "11" AND TargetFilename matches "(?i).*(GroupPolicy|SYSVOL|netlogon).*", "Windows-StartupScript-FileCreate",
    if(_sourceCategory matches "(?i).*auditd.*", "Linux-AuditD-InitScript",
    if(_sourceCategory matches "(?i).*linux.*", "Linux-InitScript-Syslog",
    if(_raw matches "(?i).*(LoginHook|LogoutHook).*", "macOS-LoginHook-Configured", "Other"))))))
| eval indicator = if(isNull(TargetObject), if(isNull(TargetFilename), if(isNull(name), _raw, name), TargetFilename), TargetObject)
| eval actor = coalesce(User, auid, process_name, "unknown")
| count by detection_branch, _sourceHost, actor, indicator
| sort by _count desc
high severity high confidence

Detects T1037 Boot or Logon Initialization Script abuse using Sumo Logic CSE across multiple platforms and log sources. Covers Windows Sysmon EventID 13 (registry value set) and EventID 11 (file create) for registry-based logon script persistence and Group Policy/SYSVOL script drops, Linux syslog and auditd for init.d/rc.d script writes, and macOS syslog and Sysmon EventID 1 for login hook configuration via 'defaults write'. Results are grouped by detection branch, host, and actor for analyst triage.

Data Sources

Windows Sysmon (EventID 1, 11, 13) via Sumo Logic Windows sourceWindows Security Event Log (EventID 4657) via Sumo Logic Windows sourceLinux syslog (/var/log/syslog, /var/log/messages) via Sumo Logic installed collectorLinux auditd logs via Sumo Logic installed collectormacOS unified system log via Sumo Logic macOS source

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=windows/security_sourceCategory=linux/syslog_sourceCategory=linux/auditd_sourceCategory=macos/syslog

False Positives & Tuning

  • Automated software deployment pipelines (Jenkins, GitLab CI, GitHub Actions self-hosted runners) that write scripts to SYSVOL or netlogon as part of GPO-based software distribution — correlate against CI/CD service account names.
  • Linux system administrators running configuration management (Ansible playbooks, Chef cookbooks) that legitimately install or update init scripts in /etc/init.d/ during scheduled maintenance windows.
  • Corporate macOS device enrollment processes using Jamf or similar MDM that configure login/logout hooks as standard endpoint management controls — baseline MDM agent PIDs and signing identities.
Download portable Sigma rule (.yml)

Other platforms for T1037

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Logon Script via UserInitMprLogonScript Registry

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKCU\Environment\UserInitMprLogonScript, Details=%TEMP%\argus-test-logon.bat, Image=reg.exe. Sysmon Event ID 11 (File Create): TargetFilename=%TEMP%\argus-test-logon.bat. DeviceRegistryEvents in MDE will show ActionType=RegistryValueSet with RegistryValueName=UserInitMprLogonScript.

  2. Test 2Linux RC Script Persistence via init.d

    Expected signal: Linux auditd SYSCALL=openat/write with name=/etc/init.d/argus-test and exe=bash or exe=tee. Syslog entries for update-rc.d execution. If auditd rule -w /etc/init.d -p wa -k init_script_write is in place, ausearch will return the creation event with auid, uid, pid, and full command context. File creation timestamp visible via stat /etc/init.d/argus-test.

  3. Test 3macOS Login Hook Configuration

    Expected signal: Sysmon for macOS Event ID 1 (Process Create): Image=defaults, CommandLine contains 'write com.apple.loginwindow LoginHook'. File create event for /tmp/argus-loginhook.sh. MDE DeviceProcessEvents will show FileName=defaults with ProcessCommandLine referencing LoginHook. On execution at next login: launchd spawning the hook script as parent.

  4. Test 4Windows Network Logon Script via Group Policy INI

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename in %SYSTEMROOT%\System32\GroupPolicy\User\Scripts\Logon\ with .bat extension. DeviceFileEvents ActionType=FileCreated for both the script and scripts.ini. Security Event ID 4688 (cmd.exe executing mkdir and echo). On next logon: userinit.exe spawning the script from the GroupPolicy Scripts directory.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1037 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1037.001Logon Script (Windows)T1037.002Login HookT1037.003Network Logon ScriptT1037.004RC ScriptsT1037.005Startup ItemsT1543Create or Modify System ProcessT1546Event Triggered ExecutionT1053.005Scheduled TaskT1059.004Unix ShellT1222.002Linux and Mac File and Directory Permissions Modification

Same Tactic: Persistence

Popular Detections