Detects adversary use of logon script configuration via Group Policy or user object attributes, followed by script execution post-authentication. Behavior includes modification of script path or file, then process execution under user logon context.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | WinEventLog:Security | EventCode=4670, 4663 |
| Script Execution (DC0029) | WinEventLog:System | EventCode=1502, 1503 |
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| User Account Modification (DC0010) | WinEventLog:DirectoryService | EventID 5136 |
| Field | Description |
|---|---|
| script_path_keywords | Defenders may tune for known script locations such as NETLOGON, SYSVOL, or \domain\sysvol\*.bat/.ps1 |
| execution_time_window | May be scoped to user logon hours or first X minutes post-authentication |
| user_context | Organizations may focus on specific users/groups with high privilege or remote access |