Skip to content

DET0367 Detect Network Logon Script Abuse via Multi-Event Correlation on Windows

Item Value
ID DET0367
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1037.003 (Network Logon Script)

Analytics

Windows

AN1034

Correlates Group Policy updates that configure network logon scripts with subsequent remote file execution behaviors triggered by user logons to identify potential persistence or execution chains tied to adversarial manipulation of logon scripts.

Log Sources
Data Component Name Channel
Network Share Access (DC0102) WinEventLog:Security EventCode=5145
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Script Execution (DC0029) WinEventLog:System EventCode=4016, 5312
Mutable Elements
Field Description
TargetObject Path to network-based script execution; tuning required for environment-specific network shares.
ParentProcessName Initial execution process that launches the script; may vary depending on script language or user context.
TimeWindow Acceptable time window to correlate Group Policy update with script execution (e.g., 2–10 minutes).
UserContext Account initiating execution; useful for filtering known administrative activity.