Startup/Logon Script Added to Group Policy Object

Severity: medium
Author: Elastic, Josh Nickels, Marius Rothenbücher
Source: upstream

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1547` Boot or Logon Autostart Execution
Privilege Escalation	`T1484.001` Domain or Tenant Policy Modification: Group Policy Modification, `T1547` Boot or Logon Autostart Execution
Defense Evasion	`T1484.001` Domain or Tenant Policy Modification: Group Policy Modification

Event coverage

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.
Security-Auditing	5145	A network share object was checked to see whether client can be granted desired access.

Stages and Predicates

Stage 1: `selection_eventid`

Stage 2: `all of selection_attributes_main`

AttributeLDAPDisplayName: [gPCMachineExtensionNames, gPCUserExtensionNames]
AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'

Stage 3: `all of selection_attributes_optional`

or:
AttributeValue|contains: '40B6664F-4972-11D1-A7CA-0000F87571E3'
AttributeValue|contains: '40B66650-4972-11D1-A7CA-0000F87571E3'

Stage 4: `selection_share`

or:
RelativeTargetName|endswith: '\psscripts.ini'
RelativeTargetName|endswith: '\scripts.ini'
AccessList|contains: '%%4417'
ShareName|endswith: '\SYSVOL'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AccessList`	match	`%%4417` corpus 3 (sigma 3)
`AttributeLDAPDisplayName`	eq	`gPCMachineExtensionNames` corpus 4 (sigma 3, splunk 1) `gPCUserExtensionNames` corpus 2 (sigma 2)
`AttributeValue`	match	`40B6664F-4972-11D1-A7CA-0000F87571E3` `40B66650-4972-11D1-A7CA-0000F87571E3` `42B5FAAE-6536-11D2-AE5A-0000F87571E3`
`RelativeTargetName`	ends_with	`\psscripts.ini` `\scripts.ini`
`ShareName`	ends_with	`\SYSVOL` corpus 2 (sigma 2)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Startup/Logon Script added to Group Policy Object [elastic] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Scheduled Task Execution at Scale via GPO [elastic] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Persistence and Execution at Scale via GPO Scheduled Task [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Potential Kerberos Coercion via DNS-Based SPN Spoofing [elastic]
Suspicious Remote Registry Access via SeBackupPrivilege [elastic]
Startup/Logon Script added to Group Policy Object [elastic]
Scheduled Task Execution at Scale via GPO [elastic]
Persistence and Execution at Scale via GPO Scheduled Task [sigma]
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation [sigma]
Windows AD Short Lived Server Object [splunk]
Windows Administrative Shares Accessed On Multiple Hosts [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Persistence and Execution at Scale via GPO Scheduled Task [sigma]
Startup/Logon Script added to Group Policy Object [elastic]
Scheduled Task Execution at Scale via GPO [elastic]