Scheduled Task Execution at Scale via GPO

  1[metadata]
  2creation_date = "2021/11/08"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the
 11GPO.
 12"""
 13index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 14language = "eql"
 15license = "Elastic License v2"
 16name = "Scheduled Task Execution at Scale via GPO"
 17note = """## Triage and analysis
 18
 19### Investigating Scheduled Task Execution at Scale via GPO
 20
 21Group Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `<GPOPath>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.
 22
 23#### Possible investigation steps
 24
 25- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.
 26- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `<Command>` and `<Arguments>` XML tags for any potentially malicious commands or binaries.
 27- Investigate other alerts associated with the user/host during the past 48 hours.
 28- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.
 29
 30### False positive analysis
 31
 32- Verify if the execution is allowed and done under change management, and if the execution is legitimate.
 33
 34### Related rules
 35
 36- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf
 37- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046
 38
 39### Response and remediation
 40
 41- Initiate the incident response process based on the outcome of the triage.
 42- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.
 43- Remove the script from the GPO.
 44- Check if other GPOs have suspicious scheduled tasks attached.
 45- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 46- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 47"""
 48references = [
 49    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
 50    "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
 51    "https://labs.f-secure.com/tools/sharpgpoabuse",
 52    "https://twitter.com/menasec1/status/1106899890377052160",
 53    "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml",
 54]
 55risk_score = 47
 56rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e"
 57setup = """## Setup
 58
 59The following Windows audit policies must be enabled to generate the events used by this rule:
 60- [Audit Directory Service Changes](https://ela.st/audit-directory-service-changes)
 61- [Audit Detailed File Share](https://ela.st/audit-detailed-file-share)
 62"""
 63severity = "medium"
 64tags = [
 65    "Domain: Endpoint",
 66    "OS: Windows",
 67    "Use Case: Threat Detection",
 68    "Tactic: Privilege Escalation",
 69    "Tactic: Lateral Movement",
 70    "Data Source: Active Directory",
 71    "Resources: Investigation Guide",
 72    "Use Case: Active Directory Monitoring",
 73    "Data Source: Windows Security Event Logs",
 74]
 75timestamp_override = "event.ingested"
 76type = "eql"
 77
 78query = '''
 79any where host.os.type == "windows" and event.code in ("5136", "5145") and
 80(
 81  (
 82    winlog.event_data.AttributeLDAPDisplayName : (
 83      "gPCMachineExtensionNames",
 84      "gPCUserExtensionNames"
 85    ) and
 86    winlog.event_data.AttributeValue : "*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*" and
 87    winlog.event_data.AttributeValue : "*AADCED64-746C-4633-A97C-D61349046527*"
 88  ) or
 89  (
 90    winlog.event_data.ShareName : "\\\\*\\SYSVOL" and
 91    winlog.event_data.RelativeTargetName : "*ScheduledTasks.xml" and
 92    winlog.event_data.AccessList:"*%%4417*"
 93  )
 94)
 95'''
 96
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1053"
102name = "Scheduled Task/Job"
103reference = "https://attack.mitre.org/techniques/T1053/"
104[[rule.threat.technique.subtechnique]]
105id = "T1053.005"
106name = "Scheduled Task"
107reference = "https://attack.mitre.org/techniques/T1053/005/"
108
109
110[[rule.threat.technique]]
111id = "T1484"
112name = "Domain or Tenant Policy Modification"
113reference = "https://attack.mitre.org/techniques/T1484/"
114[[rule.threat.technique.subtechnique]]
115id = "T1484.001"
116name = "Group Policy Modification"
117reference = "https://attack.mitre.org/techniques/T1484/001/"
118
119
120
121[rule.threat.tactic]
122id = "TA0004"
123name = "Privilege Escalation"
124reference = "https://attack.mitre.org/tactics/TA0004/"
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1570"
129name = "Lateral Tool Transfer"
130reference = "https://attack.mitre.org/techniques/T1570/"
131
132
133[rule.threat.tactic]
134id = "TA0008"
135name = "Lateral Movement"
136reference = "https://attack.mitre.org/tactics/TA0008/"