Group-Policy

Detection of the creation or modification of new Group Policy based scheduled tasks or services, which can be abused by attackers with domain admin permissions to execute malicious payloads remotely on domain-joined machines, leading to privilege escalation and persistence.

Attackers abuse Group Policy Objects by modifying scheduled task attributes to execute malicious commands across objects controlled by the GPO, potentially leading to privilege escalation and lateral movement.

This rule detects the modification of Group Policy Objects (GPO) to add a startup or logon script to user or computer objects, enabling attackers to achieve privilege escalation and persistence by executing arbitrary commands at scale.