Merge PR #5000 from @joshnck - Update `Persistence and Execution at S…

…cale via GPO Scheduled Task` update: Persistence and Execution at Scale via GPO Scheduled Task - Increase coverage by adding selection for EID 5136 --------- Co-authored-by: nasbench <[email protected]>
SigmaHQ · Sep 6, 2024 · ad84d82 · ad84d82
1 parent 06b1166
commit ad84d82
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml
@@ -5,9 +5,10 @@ description: Detect lateral movement using GPO scheduled task, usually used to d
 references:
     - https://twitter.com/menasec1/status/1106899890377052160
     - https://www.secureworks.com/blog/ransomware-as-a-distraction
+    - https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html
 author: Samir Bousseaden
 date: 2019-04-03
-modified: 2024-08-01
+modified: 2024-09-04
 tags:
     - attack.persistence
     - attack.lateral-movement
@@ -17,14 +18,22 @@ logsource:
     service: security
     definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
 detection:
-    selection:
+    selection_5136:
+        EventID: 5136
+        AttributeLDAPDisplayName:
+            - 'gPCMachineExtensionNames'
+            - 'gPCUserExtensionNames'
+        AttributeValue|contains:
+            - 'CAB54552-DEEA-4691-817E-ED4A4D1AFC72'
+            - 'AADCED64-746C-4633-A97C-D61349046527'
+    selection_5145:
         EventID: 5145
-        ShareName: '\\\\\*\\SYSVOL' # looking for the string \\*\SYSVOL
+        ShareName|endswith: '\SYSVOL' # looking for the string \\*\SYSVOL
         RelativeTargetName|endswith: 'ScheduledTasks.xml'
         AccessList|contains:
             - 'WriteData'
             - '%%4417'
-    condition: selection
+    condition: 1 of selection_*
 falsepositives:
-    - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
+    - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks.
 level: high