[metadata] creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" updated_date = "2025/03/20" [rule] author = ["Elastic"] description = """ Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. """ index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Scheduled Task Execution at Scale via GPO" note = """## Triage and analysis ### Investigating Scheduled Task Execution at Scale via GPO Group Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file. #### Possible investigation steps - This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation. - Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries. - Investigate other alerts associated with the user/host during the past 48 hours. - Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO. ### False positive analysis - Verify if the execution is allowed and done under change management, and if the execution is legitimate. ### Related rules - Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf - Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046 ### Response and remediation - Initiate the incident response process based on the outcome of the triage. - The investigation and containment must be performed in every computer controlled by the GPO, where necessary. - Remove the script from the GPO. - Check if other GPOs have suspicious scheduled tasks attached. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml", ] risk_score = 47 rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e" setup = """## Setup The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Object Access > Audit Detailed File Share (Success,Failure) ``` The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" query = ''' any where host.os.type == "windows" and event.code in ("5136", "5145") and ( ( winlog.event_data.AttributeLDAPDisplayName : ( "gPCMachineExtensionNames", "gPCUserExtensionNames" ) and winlog.event_data.AttributeValue : "*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*" and winlog.event_data.AttributeValue : "*AADCED64-746C-4633-A97C-D61349046527*" ) or ( winlog.event_data.ShareName : "\\\\*\\SYSVOL" and winlog.event_data.RelativeTargetName : "*ScheduledTasks.xml" and winlog.event_data.AccessList:"*%%4417*" ) ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/"