GPO Scheduled Task Abuse for Privilege Escalation and Lateral Movement

Attackers can abuse Group Policy Objects (GPOs) to execute scheduled tasks at scale, compromising objects controlled by a given GPO. This involves modifying the contents of the <GPOPath>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml file. By altering the XML file to include malicious commands, attackers can achieve privilege escalation or lateral movement within the domain. This technique leverages a legitimate Active Directory mechanism, making it essential to differentiate between authorized administrative actions and malicious activities. The modification can be identified through changes to gPCMachineExtensionNames or gPCUserExtensionNames attributes within Active Directory.

Attack Chain

1. Attacker gains initial access to a system with permissions to modify GPOs.
2. Attacker modifies the ScheduledTasks.xml file within the SYSVOL share of a targeted GPO (\\\\*\\SYSVOL).
3. The attacker changes the contents of the XML file to include a malicious <Command> and <Arguments> tag.
4. The modified GPO is replicated to domain controllers.
5. Target systems receive the updated GPO during regular group policy refresh cycles.
6. The scheduled task defined in the modified ScheduledTasks.xml is executed on the target systems.
7. The malicious command executes, potentially escalating privileges or facilitating lateral movement.
8. Attacker achieves desired objective, such as installing malware, creating new accounts, or exfiltrating data.

Impact

Successful exploitation allows attackers to execute arbitrary code on systems managed by the modified GPO. The scope of impact depends on the targeted GPO and the permissions of the scheduled task. This can lead to widespread compromise, affecting numerous systems and users within the domain. The modification of GPOs can be difficult to detect without proper monitoring, potentially allowing attackers to maintain persistence and control over the environment.

Recommendation

• Enable and monitor Windows audit policies for “Audit Directory Service Changes” and “Audit Detailed File Share” to detect modifications to GPOs and file share access, as outlined in the setup section.
• Deploy the Sigma rule “Scheduled Task Execution via GPO Attribute Modification” to detect modifications to the gPCMachineExtensionNames or gPCUserExtensionNames attributes (rule: Scheduled Task Execution via GPO Attribute Modification).
• Deploy the Sigma rule “Scheduled Task XML File Modification in SYSVOL” to detect modifications to the ScheduledTasks.xml file in SYSVOL shares (rule: Scheduled Task XML File Modification in SYSVOL).
• Review and validate any changes to GPOs, specifically those related to scheduled tasks, to ensure they are authorized and legitimate.
• Monitor for the execution of unexpected or malicious commands originating from scheduled tasks created or modified via GPOs.
• Regularly audit and review GPO configurations to identify any potential weaknesses or misconfigurations that could be exploited.