Detectionhightest
Persistence and Execution at Scale via GPO Scheduled Task
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Definition
The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure
Detection Logic
Detection Logic2 selectors
detection:
selection_5136:
EventID: 5136
AttributeLDAPDisplayName:
- 'gPCMachineExtensionNames'
- 'gPCUserExtensionNames'
AttributeValue|contains:
- 'CAB54552-DEEA-4691-817E-ED4A4D1AFC72'
- 'AADCED64-746C-4633-A97C-D61349046527'
selection_5145:
EventID: 5145
ShareName|endswith: '\SYSVOL' # looking for the string \\*\SYSVOL
RelativeTargetName|endswith: 'ScheduledTasks.xml'
AccessList|contains:
- 'WriteData'
- '%%4417'
condition: 1 of selection_*False Positives
If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks.
MITRE ATT&CK
Rule Metadata
Rule ID
a8f29a7b-b137-4446-80a0-b804272f3da2
Status
test
Level
high
Type
Detection
Created
Wed Apr 03
Modified
Wed Sep 04
Author
Path
rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml
Raw Tags
attack.privilege-escalationattack.executionattack.persistenceattack.lateral-movementattack.t1053.005