Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Sigma rule (View on GitHub)
1title: Startup/Logon Script Added to Group Policy Object
2id: 123e4e6d-b123-48f8-b261-7214938acaf0
3status: experimental
4description: |
5 Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
6references:
7 - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
8author: Elastic, Josh Nickels, Marius Rothenbücher
9date: 2024-09-06
10tags:
11 - attack.privilege-escalation
12 - attack.t1484.001
13 - attack.t1547
14logsource:
15 product: windows
16 service: security
17 definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
18detection:
19 selection_eventid:
20 EventID:
21 - 5136
22 - 5145
23 selection_attributes_main:
24 AttributeLDAPDisplayName:
25 - 'gPCMachineExtensionNames'
26 - 'gPCUserExtensionNames'
27 AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
28 selection_attributes_optional:
29 AttributeValue|contains:
30 - '40B6664F-4972-11D1-A7CA-0000F87571E3'
31 - '40B66650-4972-11D1-A7CA-0000F87571E3'
32 selection_share:
33 ShareName|endswith: '\SYSVOL'
34 RelativeTargetName|endswith:
35 - '\scripts.ini'
36 - '\psscripts.ini'
37 AccessList|contains: '%%4417'
38 condition: selection_eventid and (all of selection_attributes_* or selection_share)
39falsepositives:
40 - Legitimate execution by system administrators.
41level: medium
References
Related rules
- Group Policy Abuse for Privilege Addition
- Modify Group Policy Settings
- Modify Group Policy Settings - ScriptBlockLogging
- Certificate Use With No Strong Mapping
- Diamond Sleet APT Scheduled Task Creation