Scheduled Task Execution at Scale via GPO

 1[metadata]
 2creation_date = "2021/11/08"
 3integration = ["system", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/10/23"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the
13GPO.
14"""
15index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Scheduled Task Execution at Scale via GPO"
19note = """## Triage and analysis
20
21### Investigating Scheduled Task Execution at Scale via GPO
22
23Group Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `<GPOPath>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.
24
25#### Possible investigation steps
26
27- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.
28- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `<Command>` and `<Arguments>` XML tags for any potentially malicious commands or binaries.
29- Investigate other alerts associated with the user/host during the past 48 hours.
30- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.
31
32### False positive analysis
33
34- Verify if the execution is allowed and done under change management, and if the execution is legitimate.
35
36### Related rules
37
38- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf
39- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046
40
41### Response and remediation
42
43- Initiate the incident response process based on the outcome of the triage.
44- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.
45- Remove the script from the GPO.
46- Check if other GPOs have suspicious scheduled tasks attached.
47- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
48- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
49"""
50references = [
51    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
52    "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
53    "https://labs.f-secure.com/tools/sharpgpoabuse",
54    "https://twitter.com/menasec1/status/1106899890377052160",
55    "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml",
56]
57risk_score = 47
58rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e"
59setup = """## Setup
60
61The 'Audit Detailed File Share' audit policy must be configured (Success Failure).
62Steps to implement the logging policy with Advanced Audit Configuration:

1
2The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).
3Steps to implement the logging policy with Advanced Audit Configuration:

 1"""
 2severity = "medium"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Privilege Escalation",
 8    "Tactic: Lateral Movement",
 9    "Data Source: Active Directory",
10    "Resources: Investigation Guide",
11    "Use Case: Active Directory Monitoring"
12]
13timestamp_override = "event.ingested"
14type = "query"
15
16query = '''
17(event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames" or "gPCUserExtensionNames") and
18   winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))
19or
20(event.code: "5145" and winlog.event_data.ShareName: "\\\\*\\SYSVOL" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and
21  (message: WriteData or winlog.event_data.AccessList: *%%4417*))
22'''
23
24
25[[rule.threat]]
26framework = "MITRE ATT&CK"
27[[rule.threat.technique]]
28id = "T1053"
29name = "Scheduled Task/Job"
30reference = "https://attack.mitre.org/techniques/T1053/"
31[[rule.threat.technique.subtechnique]]
32id = "T1053.005"
33name = "Scheduled Task"
34reference = "https://attack.mitre.org/techniques/T1053/005/"
35
36
37[[rule.threat.technique]]
38id = "T1484"
39name = "Domain Policy Modification"
40reference = "https://attack.mitre.org/techniques/T1484/"
41[[rule.threat.technique.subtechnique]]
42id = "T1484.001"
43name = "Group Policy Modification"
44reference = "https://attack.mitre.org/techniques/T1484/001/"
45
46
47
48[rule.threat.tactic]
49id = "TA0004"
50name = "Privilege Escalation"
51reference = "https://attack.mitre.org/tactics/TA0004/"
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55
56[[rule.threat.technique]]
57id = "T1570"
58name = "Lateral Tool Transfer"
59reference = "https://attack.mitre.org/techniques/T1570/"
60
61
62[rule.threat.tactic]
63id = "TA0008"
64name = "Lateral Movement"
65reference = "https://attack.mitre.org/tactics/TA0008/"