Startup/Logon Script added to Group Policy Object

edit

Startup/Logon Script added to Group Policy Object

edit

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation
  • Active Directory

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit
## Triage and analysis

### Investigating Scheduled Task Execution at Scale via GPO

Group Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to
execute specified commands at startup, logon, shutdown, and logoff. This is done by creating/modifying the `scripts.ini` or
`psscripts.ini` files. The scripts are stored in the following path: `<GPOPath>\Machine\Scripts\`, `<GPOPath>\User\Scripts\`

#### Possible investigation steps:
- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate
and the administrator is authorized to perform this operation.
- Retrieve the contents of the script file, and check for any potentially malicious commands and binaries.
- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

### False Positive Analysis
- Verify if the execution is allowed and done under change management, and legitimate.

### Related Rules
- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf
- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e

### Response and Remediation
- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
post-compromise behavior.

## Config

The 'Audit Detailed File Share' audit policy is required be configured (Success Failure).
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Object Access >
Audit Detailed File Share (Success,Failure)
```

The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```

Rule query

edit
(
 event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and
   winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and
                                      (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))
)
or
(
 event.code:5145 and winlog.event_data.ShareName:\\\\*\\SYSVOL and
   winlog.event_data.RelativeTargetName:(*\\scripts.ini or *\\psscripts.ini) and
   (message:WriteData or winlog.event_data.AccessList:*%%4417*)
)

Framework: MITRE ATT&CKTM