Correlates Group Policy updates that configure network logon scripts with subsequent remote file execution behaviors triggered by user logons to identify potential persistence or execution chains tied to adversarial manipulation of logon scripts.
| Data Component | Name | Channel |
|---|---|---|
| Network Share Access (DC0102) | WinEventLog:Security | EventCode=5145 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Script Execution (DC0029) | WinEventLog:System | EventCode=4016,5312 |
| Field | Description |
|---|---|
| TargetObject | Path to network-based script execution; tuning required for environment-specific network shares. |
| ParentProcessName | Initial execution process that launches the script; may vary depending on script language or user context. |
| TimeWindow | Acceptable time window to correlate Group Policy update with script execution (e.g., 2–10 minutes). |
| UserContext | Account initiating execution; useful for filtering known administrative activity. |