Persistence and Execution at Scale via GPO Scheduled Task

calendar Sep 6, 2024 · attack.persistence attack.lateral-movement attack.t1053.005  ·
Share on: linkedin copy

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Sigma rule (View on GitHub)

 1title: Persistence and Execution at Scale via GPO Scheduled Task
 2id: a8f29a7b-b137-4446-80a0-b804272f3da2
 3status: test
 4description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
 5references:
 6    - https://twitter.com/menasec1/status/1106899890377052160
 7    - https://www.secureworks.com/blog/ransomware-as-a-distraction
 8    - https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html
 9author: Samir Bousseaden
10date: 2019-04-03
11modified: 2024-09-04
12tags:
13    - attack.persistence
14    - attack.lateral-movement
15    - attack.t1053.005
16logsource:
17    product: windows
18    service: security
19    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
20detection:
21    selection_5136:
22        EventID: 5136
23        AttributeLDAPDisplayName:
24            - 'gPCMachineExtensionNames'
25            - 'gPCUserExtensionNames'
26        AttributeValue|contains:
27            - 'CAB54552-DEEA-4691-817E-ED4A4D1AFC72'
28            - 'AADCED64-746C-4633-A97C-D61349046527'
29    selection_5145:
30        EventID: 5145
31        ShareName|endswith: '\SYSVOL' # looking for the string \\*\SYSVOL
32        RelativeTargetName|endswith: 'ScheduledTasks.xml'
33        AccessList|contains:
34            - 'WriteData'
35            - '%%4417'
36    condition: 1 of selection_*
37falsepositives:
38    - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks.
39level: high

References

Related rules

to-top