Startup/Logon Script added to Group Policy Objectedit

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation
  • Active Directory

Version: 2 (version history)

Added (Elastic Stack release): 8.0.0

Last modified (Elastic Stack release): 8.1.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

Legitimate Administrative Activity

Investigation guideedit

## Triage and analysis

### Investigating Scheduled Task Execution at Scale via GPO

Group Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to
execute specified commands at startup, logon, shutdown, and logoff. This is done by creating/modifying the `scripts.ini` or
`psscripts.ini` files. The scripts are stored in the following path: `<GPOPath>\Machine\Scripts\`, `<GPOPath>\User\Scripts\`

#### Possible investigation steps:
- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate
and the administrator is authorized to perform this operation.
- Retrieve the contents of the script file, and check for any potentially malicious commands and binaries.
- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

### False Positive Analysis
- Verify if the execution is allowed and done under change management, and legitimate.

### Related Rules
- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf
- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e

### Response and Remediation
- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
post-compromise behavior.

## Config

The 'Audit Detailed File Share' audit policy is required be configured (Success Failure).
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Object Access >
Audit Detailed File Share (Success,Failure)
```

The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```

Rule queryedit

( event.code:5136 and
winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames
or gPCUserExtensionNames) and winlog.event_data.AttributeValue:(*42
B5FAAE-6536-11D2-AE5A-0000F87571E3* and
(*40B66650-4972-11D1-A7CA-0000F87571E3* or
*40B6664F-4972-11D1-A7CA-0000F87571E3*)) ) or ( event.code:5145 and
winlog.event_data.ShareName:\\\\*\\SYSVOL and
winlog.event_data.RelativeTargetName:(*\\scripts.ini or
*\\psscripts.ini) and (message:WriteData or
winlog.event_data.AccessList:*%%4417*) )

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 2 (8.1.0 release)
  • Formatting only