Group-Policy — CraftedSignal Threat Feed

GPO Scheduled Task or Service Creation/Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers with domain administrator privileges can abuse Group Policy Objects (GPOs) to deploy malicious payloads across a Windows domain. By creating or modifying scheduled tasks or services via GPOs, an attacker can achieve both privilege escalation and persistence. This involves modifying files such as ScheduledTasks.xml or Services.xml within the SYSVOL share. The modifications are replicated to domain-joined machines when the GPO is applied. This technique allows for remote code execution and control over a significant number of systems from a central point, making it a powerful tool for adversaries targeting enterprise environments. The described rule detects file modifications within specific GPO paths, excluding changes made by the dfsrs.exe process to reduce false positives. The rule is designed to detect suspicious activities related to scheduled tasks and services within Group Policy settings, helping security teams identify and respond to potential threats originating from compromised domain administrator accounts.

Attack Chain

Attacker gains domain administrator privileges through compromised credentials or exploiting a vulnerability.
Attacker navigates to the SYSVOL share, typically located at \\\SYSVOL\\Policies\.
Attacker identifies a GPO to modify or creates a new GPO.
Attacker modifies the ScheduledTasks.xml or Services.xml file within the GPO’s directory (\MACHINE\Preferences\ScheduledTasks\ or \MACHINE\Preferences\Services\).
The modified XML file contains instructions to create a scheduled task or service that executes a malicious payload.
The Group Policy Management Console (GPMC) or other tools are used to link the GPO to an organizational unit (OU) containing target computers.
Target machines within the OU receive the updated GPO settings during the next Group Policy refresh cycle (or forced via gpupdate /force).
The scheduled task or service is created on the target machine, executing the attacker’s malicious payload and achieving persistence or privilege escalation.

Impact

A successful attack can lead to widespread compromise across the domain. Attackers can execute arbitrary code on numerous systems, potentially leading to data exfiltration, ransomware deployment, or disruption of critical services. The impact can range from minor inconveniences to complete operational shutdown, depending on the nature of the malicious payload and the attacker’s objectives. Without proper detection and response mechanisms, such attacks can persist for extended periods, causing significant damage to the organization.

Recommendation

Deploy the Sigma rule Detect GPO Scheduled Task/Service Modification via File Event to detect unauthorized modifications to ScheduledTasks.xml and Services.xml files within GPO paths.
Enable Sysmon file creation and modification logging to provide the necessary data for the Sigma rules to function effectively.
Review and harden GPO management access controls to limit the potential for abuse by compromised accounts, based on the observed T1484.001 technique.
Investigate any alerts generated by the deployed rules, focusing on the user accounts and processes involved in the file modifications as described in the overview.
Monitor for process execution from unusual locations based on service creation or scheduled task as described in the TTPs.

GPO Scheduled Task Abuse for Privilege Escalation and Lateral Movement

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers can abuse Group Policy Objects (GPOs) to execute scheduled tasks at scale, compromising objects controlled by a given GPO. This involves modifying the contents of the \\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml file. By altering the XML file to include malicious commands, attackers can achieve privilege escalation or lateral movement within the domain. This technique leverages a legitimate Active Directory mechanism, making it essential to differentiate between authorized administrative actions and malicious activities. The modification can be identified through changes to gPCMachineExtensionNames or gPCUserExtensionNames attributes within Active Directory.

Attack Chain

Attacker gains initial access to a system with permissions to modify GPOs.
Attacker modifies the ScheduledTasks.xml file within the SYSVOL share of a targeted GPO (\\\\*\\SYSVOL).
The attacker changes the contents of the XML file to include a malicious and tag.
The modified GPO is replicated to domain controllers.
Target systems receive the updated GPO during regular group policy refresh cycles.
The scheduled task defined in the modified ScheduledTasks.xml is executed on the target systems.
The malicious command executes, potentially escalating privileges or facilitating lateral movement.
Attacker achieves desired objective, such as installing malware, creating new accounts, or exfiltrating data.

Impact

Successful exploitation allows attackers to execute arbitrary code on systems managed by the modified GPO. The scope of impact depends on the targeted GPO and the permissions of the scheduled task. This can lead to widespread compromise, affecting numerous systems and users within the domain. The modification of GPOs can be difficult to detect without proper monitoring, potentially allowing attackers to maintain persistence and control over the environment.

Recommendation

Enable and monitor Windows audit policies for “Audit Directory Service Changes” and “Audit Detailed File Share” to detect modifications to GPOs and file share access, as outlined in the setup section.
Deploy the Sigma rule “Scheduled Task Execution via GPO Attribute Modification” to detect modifications to the gPCMachineExtensionNames or gPCUserExtensionNames attributes (rule: Scheduled Task Execution via GPO Attribute Modification).
Deploy the Sigma rule “Scheduled Task XML File Modification in SYSVOL” to detect modifications to the ScheduledTasks.xml file in SYSVOL shares (rule: Scheduled Task XML File Modification in SYSVOL).
Review and validate any changes to GPOs, specifically those related to scheduled tasks, to ensure they are authorized and legitimate.
Monitor for the execution of unexpected or malicious commands originating from scheduled tasks created or modified via GPOs.
Regularly audit and review GPO configurations to identify any potential weaknesses or misconfigurations that could be exploited.

GPO Modification to Add Startup/Logon Scripts

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may abuse Group Policy Objects (GPOs) to execute malicious commands at startup, logon, shutdown, and logoff by modifying the scripts.ini or psscripts.ini files. This involves adding or modifying these files within the \\Machine\\Scripts\\ or \\User\\Scripts\\ directories. Such modifications can lead to privilege escalation by running commands with elevated privileges when users log on or systems start. Successful exploitation allows the attacker to maintain persistent access and control over the targeted systems within the Active Directory environment. This activity is often used in post-exploitation scenarios after initial access has been gained through other means, such as phishing or exploiting vulnerabilities. The goal is to achieve widespread command execution across multiple systems within the domain.

Attack Chain

An attacker gains initial access to a system with sufficient privileges to modify GPOs, often through compromised credentials or exploiting a vulnerability.
The attacker identifies a target GPO to modify, typically one that applies to a large number of users or computers.
The attacker modifies either the scripts.ini or psscripts.ini file within the Machine\\Scripts or User\\Scripts directory of the targeted GPO.
The modification involves adding a new script entry or modifying an existing one to point to a malicious script or command. This script can be a batch file, PowerShell script, or executable.
The attacker links the GPO to an Organizational Unit (OU) containing the target computers or users, or modifies the existing GPO link.
When targeted users log on or computers start up, the GPO settings are applied, and the malicious script is executed.
The malicious script performs actions such as installing malware, adding user accounts with elevated privileges, or modifying system configurations.
The attacker achieves persistence and/or elevated privileges across the targeted systems, enabling further malicious activities.

Impact

Successful exploitation allows attackers to execute arbitrary commands with elevated privileges across numerous systems within the targeted domain. This can result in widespread malware infection, data theft, or complete system compromise. The impact can range from operational disruption to significant financial loss and reputational damage, affecting potentially hundreds or thousands of machines. Since this attack leverages legitimate Active Directory functionalities, detection can be challenging without proper monitoring and alerting mechanisms in place.

Recommendation

Enable “Audit Directory Service Changes” and “Audit Detailed File Share” Windows audit policies to generate the events required for detection, as described in the setup instructions and audit detailed file share instructions.
Deploy the Sigma rule “Detect GPO Modification for Startup/Logon Scripts” to your SIEM to detect modifications to GPOs that add or modify startup/logon scripts.
Monitor Windows Security Event Logs for Event IDs 5136 and 5145 related to GPO modifications.
Regularly review GPO settings to identify any unauthorized or suspicious scripts.