The Search AI Company

Build tailored experiences with Elastic.

Elastic Search AI Platform overview

Scale your business with Elastic Partners

Partner overview

ELK Stack

Search and analytics, data ingestion, and visualization – all at your fingertips.

ELK Stack overview

By developers, for developers

Elastic Cloud

Unlock the power of real-time insights with Elastic on your preferred cloud provider.

Elastic Cloud overview

Generative AI

Prototype and integrate with LLMs faster using search AI.

Generative AI overview

Search

Discover a world of AI possibilities — built with the power of search.

Search Labs

Search overview

Security

Protect, investigate, and respond to cyber threats with AI-driven security analytics.

Security Labs

Security overview

Observability

Unify app and infrastructure visibility to proactively resolve issues.

Observability Labs

Observability overview

By solution

See how customers search, solve, and succeed — all on one Search AI Platform.

All customer stories

Industries

Exceed customer expectations and go to market faster.

Industries overview

Customer spotlight

Cisco saves 5,000 support engineer hours per month

Sitecore automates 96 percent of security workflows with Elastic

Comcast transforms customer experiences with Elastic Observability

Research

Stay at the forefront of innovation with technical tips from the experts.

Build

Code with other developers to create a better Elastic, together.

Learn

Unleash the possibilities of your data and grow your skill set.

Connect

Keep informed about the latest tech and news from Elastic.

Have questions?

New

The executive guide to generative AI

About us Partners Support|Login

Docs
/

Startup/Logon Script added to Group Policy Object

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Rule type: eql
Rule indices:

logs-system.security*
logs-windows.forwarded*
winlogbeat-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: ``
Maximum alerts per execution: ?
References:

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Windows Security Event Logs

Version: ?
Rule authors:

Elastic

Rule license: Elastic License v2

Setup

The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with Advanced Audit Configuration:

		Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Object Access >
Audit Detailed File Share (Success,Failure)

	

The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with Advanced Audit Configuration:

		Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)

	

Group Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the scripts.ini or psscripts.ini files. The scripts are stored in the following paths:

<GPOPath>\Machine\Scripts\
<GPOPath>\User\Scripts\

Possible investigation steps

This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.
Retrieve the contents of the ScheduledTasks.xml file, and check the <Command> and <Arguments> XML tags for any potentially malicious commands or binaries.
Investigate other alerts associated with the user/host during the past 48 hours.
Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.

False positive analysis

Verify if the execution is legitimately authorized and executed under a change management process.

Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf
Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e

Response and remediation

Initiate the incident response process based on the outcome of the triage.
The investigation and containment must be performed in every computer controlled by the GPO, where necessary.
Remove the script from the GPO.
Check if other GPOs have suspicious scripts attached.
Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

Rule Query

		any where host.os.type == "windows" and event.code in ("5136", "5145") and
(
  (
    winlog.event_data.AttributeLDAPDisplayName : (
      "gPCMachineExtensionNames",
      "gPCUserExtensionNames"
    ) and
    winlog.event_data.AttributeValue : "*42B5FAAE-6536-11D2-AE5A-0000F87571E3*" and
    winlog.event_data.AttributeValue : (
      "*40B66650-4972-11D1-A7CA-0000F87571E3*",
      "*40B6664F-4972-11D1-A7CA-0000F87571E3*"
    )
  ) or
  (
    winlog.event_data.ShareName : "\\\\*\\SYSVOL" and
    winlog.event_data.RelativeTargetName : ("*\\scripts.ini", "*\\psscripts.ini") and
    winlog.event_data.AccessList:"*%%4417*"
  )
)

	

Framework: MITRE ATT&CK

Tactic:
- Name: Privilege Escalation
- Id: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Domain or Tenant Policy Modification
- Id: T1484
- Reference URL: https://attack.mitre.org/techniques/T1484/
Sub Technique:
- Name: Group Policy Modification
- Id: T1484.001
- Reference URL: https://attack.mitre.org/techniques/T1484/001/
Technique:
- Name: Boot or Logon Autostart Execution
- Id: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/