Detectionmediumtest
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Elastic Security, Josh Nickels, Marius RothenbücherCreated Fri Sep 06123e4e6d-b123-48f8-b261-7214938acaf0windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Definition
The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure
Detection Logic
Detection Logic4 selectors
detection:
selection_eventid:
EventID:
- 5136
- 5145
selection_attributes_main:
AttributeLDAPDisplayName:
- 'gPCMachineExtensionNames'
- 'gPCUserExtensionNames'
AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
selection_attributes_optional:
AttributeValue|contains:
- '40B6664F-4972-11D1-A7CA-0000F87571E3'
- '40B66650-4972-11D1-A7CA-0000F87571E3'
selection_share:
ShareName|endswith: '\SYSVOL'
RelativeTargetName|endswith:
- '\scripts.ini'
- '\psscripts.ini'
AccessList|contains: '%%4417'
condition: selection_eventid and (all of selection_attributes_* or selection_share)False Positives
Legitimate execution by system administrators.
References
MITRE ATT&CK
Rule Metadata
Rule ID
123e4e6d-b123-48f8-b261-7214938acaf0
Status
test
Level
medium
Type
Detection
Created
Fri Sep 06
Path
rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1484.001attack.t1547