Skip to content

DET0112 Boot or Logon Initialization Scripts Detection Strategy

Item Value
ID DET0112
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1037 (Boot or Logon Initialization Scripts)

Analytics

Windows

AN0311

Monitoring modification and execution of user or system logon scripts such as in registry Run keys or startup folders.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Scheduled Job Creation (DC0001) WinEventLog:TaskScheduler EventCode=106
Mutable Elements
Field Description
TargetObject Registry path that may vary by user or policy configuration.
ParentProcessName Can be tuned to known parent processes to reduce false positives.
TimeWindow Logon activity clustered during specific user shifts.

Linux

AN0312

Detection of changes or execution of shell initialization scripts like .bashrc, .profile, or /etc/profile for persistence.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL EXECVE
File Metadata (DC0059) auditd:PATH PATH
File Modification (DC0061) linux:osquery file_events
Mutable Elements
Field Description
FilePath Initialization script path that can differ across user and system profiles.
UserContext User-level vs root-level configuration.
TimeWindow Useful to correlate between file change and subsequent execution.

macOS

AN0313

Monitoring for modification and execution of login hook scripts or LaunchAgents/LaunchDaemons used for persistence.

Log Sources
Data Component Name Channel
Script Execution (DC0029) macos:unifiedlog log
File Access (DC0055) fs:fsusage file
Service Metadata (DC0041) macos:osquery launchd
Mutable Elements
Field Description
Label LaunchAgent or LaunchDaemon label name, often environment-specific.
ProgramArguments Arguments passed to scripts, which may need tuning by environment.
UserContext Distinguish between user login and system startup agents.

ESXi

AN0314

Detection of modification to ESXi rc.local.d or rc scripts that are used to execute on boot.

Log Sources
Data Component Name Channel
Script Execution (DC0029) esxi:vmkernel boot
File Modification (DC0061) esxi:hostd boot
Mutable Elements
Field Description
ScriptName Script path or name may vary across hypervisor versions.
LogSeverity Log verbosity settings may alter visibility of activity.

Network Devices

AN0315

Detection of changes to device startup-config files that include boot scripts or scheduled execution routines.

Log Sources
Data Component Name Channel
File Modification (DC0061) networkdevice:syslog config
Mutable Elements
Field Description
Interface Affected interface or subsystem; varies per device.
CommandPattern Patterns of authorized config changes differ by vendor or policy.