CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
bad4429ad0367f9e00841faaf490cdba7c28ae9c
hayabusa/rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
Tanaka Zakku 771c86edbf change rules dir structure. addlogon timeline.
2021-11-18 08:43:13 +09:00

35 lines
992 B
YAML
Raw Blame History

title: Logon Scripts (UserInitMprLogonScript) Registry
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
description: Detects creation or execution of UserInitMprLogonScript persistence method
detection:
SELECTION_1:
EventID: 12
SELECTION_2:
EventID: 13
SELECTION_3:
EventID: 14
SELECTION_4:
TargetObject: '*UserInitMprLogonScript*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
level: high
logsource:
category: registry_event
product: windows
modified: 2020/07/01
references:
- https://attack.mitre.org/techniques/T1037/
status: experimental
tags:
- attack.t1037
- attack.t1037.001
- attack.persistence
- attack.lateral_movement
yml_filename: sysmon_logon_scripts_userinitmprlogonscript_reg.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
Reference in New Issue View Git Blame Copy Permalink