https://feed.craftedsignal.io/tags/gpo/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-gpo-scheduled-task/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-gpo-scheduled-task/Detects the creation of scheduled tasks within a Group Policy Object (GPO) by monitoring for the creation of the ScheduledTasks.xml file in the SYSVOL share, potentially indicating malicious persistence.This detection identifies a potential method for establishing persistence on Windows systems by monitoring the creation of scheduled tasks through Group Policy Objects (GPOs). Threat actors may abuse GPOs to deploy malicious scheduled tasks across numerous machines in a domain. When a scheduled task is created via GPO, a ScheduledTasks.xml file, containing its configuration, is created within a specific folder of the SYSVOL share. The detection leverages Windows Event ID 5145 looking for file creation events related to these scheduled tasks. While legitimate GPO scheduled task creation can occur, the relative infrequency of this activity makes it a valuable indicator of potential compromise. This technique allows attackers to maintain access to systems and execute commands at specified intervals, blending in with legitimate administrative activities and making detection more challenging.

Attack Chain

1. The attacker gains initial access to a system or obtains credentials with sufficient privileges to modify GPOs.
2. The attacker navigates to the Group Policy Management Console (GPMC) on a domain controller or a system with RSAT installed.
3. The attacker identifies an existing GPO or creates a new GPO to target specific systems or users.
4. Within the GPO settings, the attacker navigates to the Scheduled Tasks section under Computer Configuration or User Configuration.
5. The attacker creates a new scheduled task, defining its properties, such as the trigger (time, event, etc.), the action to be performed (execute a program, send an email, etc.), and the user account under which the task will run.
6. When the GPO is applied to the target systems, the ScheduledTasks.xml file is created in the \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\{<GPO_GUID>}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml path.
7. The target system processes the GPO, creating the scheduled task according to the settings defined in the XML file.
8. The scheduled task executes at the specified trigger, carrying out the malicious action defined by the attacker (e.g., executing malware, running scripts, or establishing persistence).

Impact

Successful exploitation allows attackers to establish persistent access to targeted systems. By creating malicious scheduled tasks through GPOs, attackers can execute arbitrary code, deploy malware, or perform other malicious activities at specified intervals. The broad deployment capabilities of GPOs can lead to widespread compromise across the domain, affecting numerous systems and users. This technique can be used to maintain a foothold in the environment, even after initial compromises are remediated. The use of legitimate system administration tools and processes makes detection more difficult, allowing attackers to operate with a lower risk of being detected.

Recommendation

• Enable and monitor Windows Event Log Security events, specifically Event ID 5145, to capture file access events on network shares.
• Deploy the provided Sigma rule Scheduled Task Created in Group Policy Object to identify suspicious ScheduledTasks.xml creation events in the SYSVOL share.
• Investigate any alerts generated by the Sigma rule, focusing on the source computer (Computer) and the targeted file (RelativeTargetName).
• Filter known false positives by creating exceptions for approved GPO deployments as mentioned in known_false_positives.

]]>mediumadvisoryscheduled-taskgpopersistencewindowshttps://feed.craftedsignal.io/briefs/2024-01-ad-gpo-deleted/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-ad-gpo-deleted/Detection of Active Directory Group Policy deletion using event ID 5136, indicating potential malicious activity or misconfiguration.This detection identifies when an Active Directory Group Policy Object (GPO) is deleted, potentially indicating malicious activity aimed at disrupting organizational policies or misconfigurations leading to unintended changes. The detection leverages Windows Event Log Security (event ID 5136) and Active Directory monitoring data to correlate the deletion event with the GPO name and the user responsible. It is important to investigate these events promptly, as GPO deletions can have significant impact on the security posture and functionality of a Windows domain. This alert helps defenders identify unauthorized or accidental GPO deletions, enabling rapid response and remediation.

Attack Chain

1. An attacker gains unauthorized access to an account with sufficient privileges to manage Group Policy Objects (GPOs).
2. The attacker uses the Group Policy Management Console (GPMC) or PowerShell cmdlets (e.g., Remove-GPO) to initiate the deletion of a targeted GPO.
3. The deletion event generates Windows Security Event ID 5136, logging details of the object being modified (the GPO). The AttributeLDAPDisplayName is gpLink.
4. The event includes OperationType codes %%14675 (old value) and %%14674 (new value) showing the before and after states of the GPO.
5. The event also includes the ObjectDN (Distinguished Name) of the deleted GPO.
6. Active Directory monitoring (admon) events, specifically updates to Group-Policy-Container, provide the displayName of the GPO based on its distinguishedName.
7. The gpLink attribute is removed from the affected Organizational Units (OUs) or domains where the GPO was applied, effectively removing the policies associated with that GPO.
8. The deletion of the GPO can lead to changes in user and computer settings, potentially weakening security controls or disrupting normal operations.

Impact

Successful deletion of GPOs can severely impact an organization’s security posture. Deleted GPOs can lead to systems reverting to default configurations, removal of security policies, and potential exposure to vulnerabilities. The scope of impact depends on the criticality and scope of the deleted GPOs, ranging from affecting a small group of users to compromising the entire domain. This can lead to data breaches, system compromise, or disruption of services. Early detection and remediation are crucial to minimize potential damage.

Recommendation

• Ensure Active Directory auditing is enabled and ingesting Windows Security Event ID 5136 and Active Directory monitoring data. See the referenced Splunk Lantern article for guidance.
• Configure the wineventlog_security and admon macros in your Splunk environment to point to the correct indexes as described in the “how_to_implement” section.
• Deploy the provided Sigma rule “AD GPO Deleted via Event 5136” to detect GPO deletion events. Tune the rule’s filter (windows_ad_gpo_deleted_filter) to exclude any known legitimate GPO deletion activities.
• Investigate all triggered alerts by examining the source user (src_user) and the deleted GPO (policyName) to determine if the deletion was authorized.
• Utilize the provided drilldown searches to investigate the activity of the source user and any associated risk events.

]]>mediumadvisoryactive-directorygroup-policygpodeletiont1484.001