Tag
medium
advisory
Scheduled Task Creation via Group Policy Object
2 rules 2 TTPsDetects the creation of scheduled tasks within a Group Policy Object (GPO) by monitoring for the creation of the ScheduledTasks.xml file in the SYSVOL share, potentially indicating malicious persistence.
Splunk Enterprise +3
scheduled-task
gpo
persistence
windows
2r
2t
medium
advisory
Active Directory Group Policy Deletion Detected
2 rules 2 TTPsDetection of Active Directory Group Policy deletion using event ID 5136, indicating potential malicious activity or misconfiguration.
Splunk Enterprise +2
active-directory
group-policy
gpo
deletion
t1484.001
2r
2t