title: Potential Persistence Via Logon Scripts - CommandLine
id: 21d856f9-9281-4ded-9377-51a1a6e2a432
related:
    - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
      type: derived
status: test
description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
references:
    - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
author: Tom Ueltschi (@c_APT_ure)
date: 2019-01-12
modified: 2023-06-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1037.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'UserInitMprLogonScript'
    condition: selection
falsepositives:
    - Legitimate addition of Logon Scripts via the command line by administrators or third party tools
level: high

title: Uncommon Userinit Child Process
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
related:
    - id: 21d856f9-9281-4ded-9377-51a1a6e2a432
      type: similar
status: test
description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
references:
    - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
    - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
author: Tom Ueltschi (@c_APT_ure), Tim Shelton
date: 2019-01-12
modified: 2023-11-14
tags:
    - attack.privilege-escalation
    - attack.t1037.001
    - attack.persistence
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\userinit.exe'
    filter_main_explorer:
        Image|endswith: ':\WINDOWS\explorer.exe'
    filter_optional_logonscripts:
        CommandLine|contains:
            - 'netlogon.bat'
            - 'UsrLogon.cmd'
    filter_optional_windows_core:
        # Note: This filter is mandatory on Windows Core machines as the default shell spawned by "userinit" is "powershell.exe".
        # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
        CommandLine: 'PowerShell.exe'
    filter_optional_proquota:
        Image|endswith:
            - ':\Windows\System32\proquota.exe'
            - ':\Windows\SysWOW64\proquota.exe'
    filter_optional_citrix:
        Image|endswith:
            # As reported by https://github.com/SigmaHQ/sigma/issues/4569
            - ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
            - ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
            - ':\Program Files (x86)\Citrix\System32\icast.exe'
            - ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
            - ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
            - ':\Program Files\Citrix\System32\icast.exe'
    filter_optional_image_null:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.
level: high

title: Potential Persistence Via Logon Scripts - Registry
id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
status: test
description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
author: Tom Ueltschi (@c_APT_ure)
date: 2019-01-12
modified: 2025-10-26
tags:
    - attack.privilege-escalation
    - attack.t1037.001
    - attack.persistence
    - attack.lateral-movement
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'UserInitMprLogonScript'
    condition: selection
falsepositives:
    - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml
simulation:
    - type: atomic-red-team
      name: Logon Scripts
      technique: T1037.001
      atomic_guid: d6042746-07d4-4c92-9ad8-e644c114a231