Startup/Logon Script Added to Group Policy Object

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1484.001 attack.t1547  ·
Share on: linkedin copy

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Sigma rule (View on GitHub)

 1title: Startup/Logon Script Added to Group Policy Object
 2id: 123e4e6d-b123-48f8-b261-7214938acaf0
 3status: test
 4description: |
 5        Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
 6references:
 7    - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
 8author: Elastic, Josh Nickels, Marius Rothenbücher
 9date: 2024-09-06
10tags:
11    - attack.persistence
12    - attack.defense-evasion
13    - attack.privilege-escalation
14    - attack.t1484.001
15    - attack.t1547
16logsource:
17    product: windows
18    service: security
19    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
20detection:
21    selection_eventid:
22        EventID:
23            - 5136
24            - 5145
25    selection_attributes_main:
26        AttributeLDAPDisplayName:
27            - 'gPCMachineExtensionNames'
28            - 'gPCUserExtensionNames'
29        AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
30    selection_attributes_optional:
31        AttributeValue|contains:
32            - '40B6664F-4972-11D1-A7CA-0000F87571E3'
33            - '40B66650-4972-11D1-A7CA-0000F87571E3'
34    selection_share:
35        ShareName|endswith: '\SYSVOL'
36        RelativeTargetName|endswith:
37            - '\scripts.ini'
38            - '\psscripts.ini'
39        AccessList|contains: '%%4417'
40    condition: selection_eventid and (all of selection_attributes_* or selection_share)
41falsepositives:
42    - Legitimate execution by system administrators.
43level: medium

References

Related rules

to-top