Scheduled Task Execution at Scale via GPO

edit

Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation
  • Active Directory

Version: 2 (version history)

Added (Elastic Stack release): 8.0.0

Last modified (Elastic Stack release): 8.1.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit
## Triage and analysis

### Investigating Scheduled Task Execution at Scale via GPO

Group Policy Objects can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a
given GPO. This is done by changing the contents of the `<GPOPath>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml`
file.

#### Possible investigation steps:
- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity
is legitimate and the administrator is authorized to perform this operation.
- Retrieve the contents of the `ScheduledTasks.xml` file, ánd check the `<Command>` and `<Arguments>` XML tags for any
potentially malicious commands and binaries.
- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

### False Positive Analysis
- Verify if the execution is allowed and done under change management, and if the execution is legitimate.

### Related Rules
- Group Policy Abuse for Privilege Addition
- Startup/Logon Script added to Group Policy Object

### Response and Remediation
- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
post-compromise behavior.

## Config

The 'Audit Detailed File Share' audit policy is required be configured (Success Failure).
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Object Access >
Audit Detailed File Share (Success,Failure)
```

The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```

Rule query

edit
(event.code: "5136" and
winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames"
or "gPCUserExtensionNames") and winlog.event_data.AttributeValue:(
*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and
*AADCED64-746C-4633-A97C-D61349046527*)) or (event.code: "5145" and
winlog.event_data.ShareName: "\\\\*\\SYSVOL" and
winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and
(message: WriteData or winlog.event_data.AccessList: *%%4417*))

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 2 (8.1.0 release)
  • Formatting only