Startup/Logon Script Added to Group Policy Object

calendar Sep 6, 2024 · attack.privilege-escalation attack.t1484.001 attack.t1547  ·
Share on: linkedin copy

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Sigma rule (View on GitHub)

 1title: Startup/Logon Script Added to Group Policy Object
 2id: 123e4e6d-b123-48f8-b261-7214938acaf0
 3status: experimental
 4description: |
 5        Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
 6references:
 7    - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
 8author: Elastic, Josh Nickels, Marius Rothenbücher
 9date: 2024-09-06
10tags:
11    - attack.privilege-escalation
12    - attack.t1484.001
13    - attack.t1547
14logsource:
15    product: windows
16    service: security
17    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
18detection:
19    selection_eventid:
20        EventID:
21            - 5136
22            - 5145
23    selection_attributes_main:
24        AttributeLDAPDisplayName:
25            - 'gPCMachineExtensionNames'
26            - 'gPCUserExtensionNames'
27        AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
28    selection_attributes_optional:
29        AttributeValue|contains:
30            - '40B6664F-4972-11D1-A7CA-0000F87571E3'
31            - '40B66650-4972-11D1-A7CA-0000F87571E3'
32    selection_share:
33        ShareName|endswith: '\SYSVOL'
34        RelativeTargetName|endswith:
35            - '\scripts.ini'
36            - '\psscripts.ini'
37        AccessList|contains: '%%4417'
38    condition: selection_eventid and (all of selection_attributes_* or selection_share)
39falsepositives:
40    - Legitimate execution by system administrators.
41level: medium

References

Related rules

to-top