New

The executive guide to generative AI

Read more
About usPartnersSupport|Login
Loading

Scheduled Task Execution at Scale via GPO

Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.

Rule type: eql
Rule indices:

  • logs-system.security*
  • logs-windows.forwarded*
  • winlogbeat-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: ``
Maximum alerts per execution: ?
References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Privilege Escalation
  • Tactic: Lateral Movement
  • Data Source: Active Directory
  • Resources: Investigation Guide
  • Use Case: Active Directory Monitoring
  • Data Source: Windows Security Event Logs

Version: ?
Rule authors:

  • Elastic

Rule license: Elastic License v2

The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Object Access >
Audit Detailed File Share (Success,Failure)

The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)

Group Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the <GPOPath>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml file.

  • This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.
  • Retrieve the contents of the ScheduledTasks.xml file, and check the <Command> and <Arguments> XML tags for any potentially malicious commands or binaries.
  • Investigate other alerts associated with the user/host during the past 48 hours.
  • Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.
  • Verify if the execution is allowed and done under change management, and if the execution is legitimate.
  • Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf
  • Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046
  • Initiate the incident response process based on the outcome of the triage.
  • The investigation and containment must be performed in every computer controlled by the GPO, where necessary.
  • Remove the script from the GPO.
  • Check if other GPOs have suspicious scheduled tasks attached.
  • Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
  • Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
any where host.os.type == "windows" and event.code in ("5136", "5145") and
(
  (
    winlog.event_data.AttributeLDAPDisplayName : (
      "gPCMachineExtensionNames",
      "gPCUserExtensionNames"
    ) and
    winlog.event_data.AttributeValue : "*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*" and
    winlog.event_data.AttributeValue : "*AADCED64-746C-4633-A97C-D61349046527*"
  ) or
  (
    winlog.event_data.ShareName : "\\\\*\\SYSVOL" and
    winlog.event_data.RelativeTargetName : "*ScheduledTasks.xml" and
    winlog.event_data.AccessList:"*%%4417*"
  )
)

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK