[New Rule] Startup/Logon Script added to Group Policy Object (#1607)

* "Startup/Logon Script added to Group Policy Object" Initial Rule

* Change severity

* nest non-ecs schema and move logs-system to winlogbeat

* format query and remove quotes

* Update rules/windows/privilege_escalation_group_policy_iniscript.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add rule_ids and false_positives instance

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

etc/non-ecs-schema.json

@@ -15,8 +15,8 @@
         "AttributeValue": "keyword",
         "CallerProcessName": "keyword", 
         "CallTrace": "keyword",
-        "OriginalFileName": "keyword",
         "GrantedAccess": "keyword",
+        "OriginalFileName": "keyword",
         "RelativeTargetName": "keyword",
         "ShareName": "keyword",
         "SubjectLogonId": "keyword",

rules/windows/privilege_escalation_group_policy_iniscript.toml

@@ -0,0 +1,117 @@
+[metadata]
+creation_date = "2021/11/08"
+maturity = "production"
+updated_date = "2021/11/08"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
+"""
+false_positives = ["Legitimate Administrative Activity"]
+index = ["winlogbeat-*", "logs-system.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Startup/Logon Script added to Group Policy Object"
+note = """## Triage and analysis
+
+### Investigating Scheduled Task Execution at Scale via GPO
+
+Group Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to
+execute specified commands at Startup, Logon, Shutdown, and Logoff. This is done by creating/modifying the `scripts.ini` or 
+`psscripts.ini` files. The scripts are stored in the following path: `<GPOPath>\\Machine\\Scripts\\`, `<GPOPath>\\User\\Scripts\\`
+
+#### Possible investigation steps:
+- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate
+and the administrator is authorized to perform this operation.
+- Retrieve the contents of the script file, check for any potentially malicious commands and binaries.
+- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
+
+### False Positive Analysis
+- Verify if the execution is allowed and done under change management, and legitimate.
+
+### Related Rules
+- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf
+- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e
+
+### Response and Remediation
+- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+post-compromise behavior.
+
+## Config
+
+The 'Audit Detailed File Share' audit policy is required be configured (Success Failure).
+Steps to implement the logging policy with with Advanced Audit Configuration:
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+Object Access > 
+Audit Detailed File Share (Success,Failure)
+```
+
+The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
+Steps to implement the logging policy with with Advanced Audit Configuration:
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+DS Access > 
+Audit Directory Service Changes (Success,Failure)
+```
+"""
+references = [
+    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
+    "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
+    "https://labs.f-secure.com/tools/sharpgpoabuse"
+]
+risk_score = 47
+rule_id = "16fac1a1-21ee-4ca6-b720-458e3855d046"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+(
+ event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and
+   winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and
+                                      (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))
+)
+or
+(
+ event.code:5145 and winlog.event_data.ShareName:\\\\*\\SYSVOL and
+   winlog.event_data.RelativeTargetName:(*\\scripts.ini or *\\psscripts.ini) and
+   (message:WriteData or winlog.event_data.AccessList:*%%4417*)
+)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1547/"
+id = "T1547"
+name = "Boot or Logon Autostart Execution"
+
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1484/"
+id = "T1484"
+name = "Domain Policy Modification"
+
+    [[rule.threat.technique.subtechnique]]
+    reference = "https://attack.mitre.org/techniques/T1484/001/"
+    id = "T1484.001"
+    name = "Group Policy Modification"
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0004/"
+id = "TA0004"
+name = "Privilege Escalation"