detection.wiki

Detection rules › Sigma

Startup/Logon Script Added to Group Policy Object

Status
test
Severity
medium
Log source
product windows, service security
Author
Elastic, Josh Nickels, Marius Rothenbücher
Source
github.com/SigmaHQ/sigma

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1547 Boot or Logon Autostart Execution
Privilege EscalationT1484.001 Domain or Tenant Policy Modification: Group Policy Modification, T1547 Boot or Logon Autostart Execution
Defense ImpairmentT1484.001 Domain or Tenant Policy Modification: Group Policy Modification

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5145A network share object was checked to see whether client can be granted desired access.

Rule body yaml

title: Startup/Logon Script Added to Group Policy Object
id: 123e4e6d-b123-48f8-b261-7214938acaf0
status: test
description: |
    Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
references:
    - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
author: Elastic, Josh Nickels, Marius Rothenbücher
date: 2024-09-06
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
    - attack.t1547
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection_eventid:
        EventID:
            - 5136
            - 5145
    selection_attributes_main:
        AttributeLDAPDisplayName:
            - 'gPCMachineExtensionNames'
            - 'gPCUserExtensionNames'
        AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
    selection_attributes_optional:
        AttributeValue|contains:
            - '40B6664F-4972-11D1-A7CA-0000F87571E3'
            - '40B66650-4972-11D1-A7CA-0000F87571E3'
    selection_share:
        ShareName|endswith: '\SYSVOL'
        RelativeTargetName|endswith:
            - '\scripts.ini'
            - '\psscripts.ini'
        AccessList|contains: '%%4417'
    condition: selection_eventid and (all of selection_attributes_* or selection_share)
falsepositives:
    - Legitimate execution by system administrators.
level: medium

Stages and Predicates

Stage 0: condition

selection_eventid and (all of selection_attributes_* or selection_share)

Stage 1: selection_eventid

selection_eventid:
    EventID:
        - 5136
        - 5145

Stage 2: selection_attributes_main

selection_attributes_main:
    AttributeLDAPDisplayName:
        - 'gPCMachineExtensionNames'
        - 'gPCUserExtensionNames'
    AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'

Stage 3: selection_attributes_optional

selection_attributes_optional:
    AttributeValue|contains:
        - '40B6664F-4972-11D1-A7CA-0000F87571E3'
        - '40B66650-4972-11D1-A7CA-0000F87571E3'

Stage 4: selection_share

selection_share:
    ShareName|endswith: '\SYSVOL'
    RelativeTargetName|endswith:
        - '\scripts.ini'
        - '\psscripts.ini'
    AccessList|contains: '%%4417'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AccessListmatch
  • %%4417 corpus 11 (sigma 8, elastic 2, splunk 1)
AttributeLDAPDisplayNameeq
  • gPCMachineExtensionNames corpus 7 (sigma 3, elastic 3, splunk 1)
  • gPCUserExtensionNames corpus 4 (sigma 2, elastic 2)
AttributeValuematch
  • 40B6664F-4972-11D1-A7CA-0000F87571E3 corpus 2 (sigma 1, elastic 1)
  • 40B66650-4972-11D1-A7CA-0000F87571E3 corpus 2 (sigma 1, elastic 1)
  • 42B5FAAE-6536-11D2-AE5A-0000F87571E3 corpus 2 (sigma 1, elastic 1)
RelativeTargetNameends_with
  • \psscripts.ini corpus 2 (sigma 1, elastic 1)
  • \scripts.ini corpus 2 (sigma 1, elastic 1)
ShareNameends_with
  • \SYSVOL corpus 2 (sigma 2)