A newer version is available. For the latest information, see the
current release documentation.
Startup/Logon Script added to Group Policy Object
editStartup/Logon Script added to Group Policy Object
editDetects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-system.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md
- https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md
- https://labs.f-secure.com/tools/sharpgpoabuse
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Privilege Escalation
- Active Directory
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis ### Investigating Scheduled Task Execution at Scale via GPO Group Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating/modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following path: `<GPOPath>\Machine\Scripts\`, `<GPOPath>\User\Scripts\` #### Possible investigation steps: - This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation. - Retrieve the contents of the script file, and check for any potentially malicious commands and binaries. - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. ### False Positive Analysis - Verify if the execution is allowed and done under change management, and legitimate. ### Related Rules - Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf - Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e ### Response and Remediation - Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further post-compromise behavior. ## Config The 'Audit Detailed File Share' audit policy is required be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Object Access > Audit Detailed File Share (Success,Failure) ``` The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure) ```
Rule query
edit( event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*)) ) or ( event.code:5145 and winlog.event_data.ShareName:\\\\*\\SYSVOL and winlog.event_data.RelativeTargetName:(*\\scripts.ini or *\\psscripts.ini) and (message:WriteData or winlog.event_data.AccessList:*%%4417*) )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
-
Technique:
- Name: Domain Policy Modification
- ID: T1484
- Reference URL: https://attack.mitre.org/techniques/T1484/
-
Sub-technique:
- Name: Group Policy Modification
- ID: T1484.001
- Reference URL: https://attack.mitre.org/techniques/T1484/001/