DET0072 Detect Logon Script Modifications and Execution

Item	Value
ID	DET0072
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1037.001 (Logon Script (Windows))

Analytics

Windows

AN0199

Detects adversary use of logon script configuration via Group Policy or user object attributes, followed by script execution post-authentication. Behavior includes modification of script path or file, then process execution under user logon context.

Log Sources

Data Component	Name	Channel
File Access (DC0055)	WinEventLog:Security	EventCode=4663, 4670, 4656
Script Execution (DC0029)	WinEventLog:System	EventCode=1502, 1503
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688

Mutable Elements

Field	Description
script_path_keywords	Defenders may tune for known script locations such as NETLOGON, SYSVOL, or \domain\sysvol*.bat/.ps1
execution_time_window	May be scoped to user logon hours or first X minutes post-authentication
user_context	Organizations may focus on specific users/groups with high privilege or remote access