IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Suspicious Startup Shell Folder Modification Persistence via Scheduled Job Creation »

› ›

Creation or Modification of a new GPO Scheduled Task or Service

edit

Creation or Modification of a new GPO Scheduled Task or Service

edit

Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Elastic
Host
Windows
Threat Detection
Persistence

Version: 102

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit

file where event.type != "deletion" and
  file.path : ("?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml",
               "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml") and
  not process.name : "dfsrs.exe"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Scheduled Task/Job
- ID: T1053
- Reference URL: https://attack.mitre.org/techniques/T1053/
Sub-technique:
- Name: Scheduled Task
- ID: T1053.005
- Reference URL: https://attack.mitre.org/techniques/T1053/005/

« Suspicious Startup Shell Folder Modification Persistence via Scheduled Job Creation »