Creation or Modification of a new GPO Scheduled Task or Service

  1[metadata]
  2creation_date = "2020/08/13"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for
 11legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a
 12malicious payload remotely on all or a subset of the domain joined machines.
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.file-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Creation or Modification of a new GPO Scheduled Task or Service"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Creation or Modification of a new GPO Scheduled Task or Service
 32
 33Group Policy Objects (GPOs) are crucial for centralized management in Windows environments, allowing administrators to configure settings across domain-joined machines. Adversaries with domain admin rights can exploit GPOs to create or modify scheduled tasks or services, deploying malicious payloads network-wide. The detection rule identifies such activities by monitoring specific file changes in GPO paths, excluding legitimate system processes, thus highlighting potential abuse for privilege escalation or persistence.
 34
 35### Possible investigation steps
 36
 37- Review the file path and name to confirm if the changes were made to "ScheduledTasks.xml" or "Services.xml" within the specified GPO paths, as these are indicative of potential unauthorized modifications.
 38- Check the process that initiated the file change, ensuring it is not "C:\\\\Windows\\\\System32\\\\dfsrs.exe", which is excluded as a legitimate system process.
 39- Investigate the user account associated with the file modification event to determine if it has domain admin rights and assess if the activity aligns with their typical behavior or role.
 40- Examine recent changes in the GPO settings to identify any new or altered scheduled tasks or services that could be used for malicious purposes.
 41- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender XDR to identify any related suspicious activities or patterns.
 42- Assess the impact by identifying which domain-joined machines are affected by the GPO changes and determine if any unauthorized tasks or services have been executed.
 43
 44### False positive analysis
 45
 46- Legitimate administrative changes to GPOs can trigger alerts. Regularly review and document scheduled administrative tasks to differentiate between expected and unexpected changes.
 47- Automated system management tools may modify GPO scheduled tasks or services as part of routine operations. Identify these tools and create exceptions for their processes to reduce noise.
 48- Updates or patches from Microsoft or other trusted vendors might alter GPO settings. Monitor update schedules and correlate changes with known update activities to verify legitimacy.
 49- Internal IT scripts or processes that manage GPOs for configuration consistency can cause false positives. Ensure these scripts are well-documented and consider excluding their specific actions from monitoring.
 50- Temporary changes made by IT staff for troubleshooting or testing purposes can be mistaken for malicious activity. Implement a change management process to log and approve such activities, allowing for easy exclusion from alerts.
 51
 52### Response and remediation
 53
 54- Immediately isolate affected systems from the network to prevent further spread of any malicious payloads deployed via the modified GPO scheduled tasks or services.
 55- Revoke domain admin privileges from any accounts that are suspected of being compromised to prevent further unauthorized modifications to GPOs.
 56- Conduct a thorough review of the modified ScheduledTasks.xml and Services.xml files to identify any unauthorized or malicious entries, and revert them to their previous legitimate state.
 57- Utilize endpoint detection and response (EDR) tools to scan for and remove any malicious payloads that may have been executed on domain-joined machines as a result of the GPO modifications.
 58- Notify the security operations center (SOC) and escalate the incident to the incident response team for further investigation and to determine the scope of the compromise.
 59- Implement additional monitoring on GPO paths and domain admin activities to detect any further unauthorized changes or suspicious behavior.
 60- Review and strengthen access controls and auditing policies for GPO management to prevent unauthorized modifications in the future."""
 61risk_score = 21
 62rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145"
 63severity = "low"
 64tags = [
 65    "Domain: Endpoint",
 66    "OS: Windows",
 67    "Use Case: Threat Detection",
 68    "Tactic: Privilege Escalation",
 69    "Tactic: Persistence",
 70    "Data Source: Elastic Endgame",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Sysmon",
 73    "Data Source: Microsoft Defender XDR",
 74    "Data Source: SentinelOne",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and
 82 file.name : ("ScheduledTasks.xml", "Services.xml") and
 83  file.path : (
 84    "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml",
 85    "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml"
 86  ) and
 87  not process.executable : "C:\\Windows\\System32\\dfsrs.exe"
 88'''
 89
 90setup = """## Setup
 91
 92This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 93
 94Setup instructions: https://ela.st/install-elastic-defend
 95
 96### Additional data sources
 97
 98This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 99
100- [Microsoft Defender XDR](https://ela.st/m365-defender)
101- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
102- [Sysmon Event ID 11 - File Create](https://ela.st/sysmon-event-11-setup)
103"""
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108
109[[rule.threat.technique]]
110id = "T1484"
111name = "Domain or Tenant Policy Modification"
112reference = "https://attack.mitre.org/techniques/T1484/"
113
114[[rule.threat.technique.subtechnique]]
115id = "T1484.001"
116name = "Group Policy Modification"
117reference = "https://attack.mitre.org/techniques/T1484/001/"
118
119[rule.threat.tactic]
120id = "TA0004"
121name = "Privilege Escalation"
122reference = "https://attack.mitre.org/tactics/TA0004/"
123
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126
127[[rule.threat.technique]]
128id = "T1053"
129name = "Scheduled Task/Job"
130reference = "https://attack.mitre.org/techniques/T1053/"
131
132[[rule.threat.technique.subtechnique]]
133id = "T1053.005"
134name = "Scheduled Task"
135reference = "https://attack.mitre.org/techniques/T1053/005/"
136
137[[rule.threat.technique]]
138id = "T1543"
139name = "Create or Modify System Process"
140reference = "https://attack.mitre.org/techniques/T1543/"
141
142[[rule.threat.technique.subtechnique]]
143id = "T1543.003"
144name = "Windows Service"
145reference = "https://attack.mitre.org/techniques/T1543/003/"
146
147[rule.threat.tactic]
148id = "TA0003"
149name = "Persistence"
150reference = "https://attack.mitre.org/tactics/TA0003/"