diff --git a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml index 799759ea8..a7f5b3467 100644 --- a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml @@ -5,9 +5,10 @@ description: Detect lateral movement using GPO scheduled task, usually used to d references: - https://twitter.com/menasec1/status/1106899890377052160 - https://www.secureworks.com/blog/ransomware-as-a-distraction + - https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html author: Samir Bousseaden date: 2019-04-03 -modified: 2024-08-01 +modified: 2024-09-04 tags: - attack.persistence - attack.lateral-movement @@ -17,14 +18,22 @@ logsource: service: security definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: - selection: + selection_5136: + EventID: 5136 + AttributeLDAPDisplayName: + - 'gPCMachineExtensionNames' + - 'gPCUserExtensionNames' + AttributeValue|contains: + - 'CAB54552-DEEA-4691-817E-ED4A4D1AFC72' + - 'AADCED64-746C-4633-A97C-D61349046527' + selection_5145: EventID: 5145 - ShareName: '\\\\\*\\SYSVOL' # looking for the string \\*\SYSVOL + ShareName|endswith: '\SYSVOL' # looking for the string \\*\SYSVOL RelativeTargetName|endswith: 'ScheduledTasks.xml' AccessList|contains: - 'WriteData' - '%%4417' - condition: selection + condition: 1 of selection_* falsepositives: - - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks + - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks. level: high