Scheduled Task Execution at Scale via GPO

Author: Elastic
Source: upstream

Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1053` Scheduled Task/Job, `T1053.005` Scheduled Task/Job: Scheduled Task
Persistence	`T1053` Scheduled Task/Job, `T1053.005` Scheduled Task/Job: Scheduled Task
Privilege Escalation	`T1053` Scheduled Task/Job, `T1053.005` Scheduled Task/Job: Scheduled Task, `T1484` Domain or Tenant Policy Modification, `T1484.001` Domain or Tenant Policy Modification: Group Policy Modification
Defense Evasion	`T1484` Domain or Tenant Policy Modification, `T1484.001` Domain or Tenant Policy Modification: Group Policy Modification
Lateral Movement	`T1570` Lateral Tool Transfer

Event coverage

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.
Security-Auditing	5145	A network share object was checked to see whether client can be granted desired access.

Stages and Predicates

Stage 1: `eql:any`

winlog.event_data.AttributeLDAPDisplayName:"gPCMachineExtensionNames" and winlog.event_data.AttributeValue:"AADCED64-746C-4633-A97C-D61349046527" and winlog.event_data.AttributeValue:"CAB54552-DEEA-4691-817E-ED4A4D1AFC72"

Stage 2: `eql:any`

winlog.event_data.AccessList:"%%4417" and winlog.event_data.RelativeTargetName:"*ScheduledTasks.xml" and winlog.event_data.ShareName:"\\\\*\\SYSVOL"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`winlog.event_data.AccessList`	wildcard	`%%4417` corpus 2 (elastic 2)
`winlog.event_data.AttributeLDAPDisplayName`	wildcard	`gPCMachineExtensionNames` corpus 3 (elastic 3) `gPCUserExtensionNames` corpus 2 (elastic 2)
`winlog.event_data.AttributeValue`	wildcard	`AADCED64-746C-4633-A97C-D61349046527` `CAB54552-DEEA-4691-817E-ED4A4D1AFC72`
`winlog.event_data.RelativeTargetName`	wildcard	`*ScheduledTasks.xml`
`winlog.event_data.ShareName`	wildcard	`\\*\SYSVOL` corpus 2 (elastic 2)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Startup/Logon Script Added to Group Policy Object [sigma] (cross-vendor) (drops 3 filters this rule applies) (first-stage match only; downstream stages may differ)

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Potential Kerberos Coercion via DNS-Based SPN Spoofing [elastic]
Suspicious Remote Registry Access via SeBackupPrivilege [elastic]
Startup/Logon Script added to Group Policy Object [elastic]
Persistence and Execution at Scale via GPO Scheduled Task [sigma]
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation [sigma]
Startup/Logon Script Added to Group Policy Object [sigma]
Windows AD Short Lived Server Object [splunk]
Windows Administrative Shares Accessed On Multiple Hosts [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Persistence and Execution at Scale via GPO Scheduled Task [sigma]
Startup/Logon Script Added to Group Policy Object [sigma]
Startup/Logon Script added to Group Policy Object [elastic]