if the source ip is not localhost then it's super suspicious, better to monitor both local and remote changes to gpo scheduled tasks.

t1053
t1053.005
windows
sigma

Techniques

t1053
t1053.005

Sample rules

Persistence and Execution at Scale via GPO Scheduled Task

source: sigma
technicques:
- t1053
- t1053.005

Description

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Detection logic

condition: 1 of selection_*
selection_5136:
  AttributeLDAPDisplayName:
  - gPCMachineExtensionNames
  - gPCUserExtensionNames
  AttributeValue|contains:
  - CAB54552-DEEA-4691-817E-ED4A4D1AFC72
  - AADCED64-746C-4633-A97C-D61349046527
  EventID: 5136
selection_5145:
  AccessList|contains:
  - WriteData
  - '%%4417'
  EventID: 5145
  RelativeTargetName|endswith: ScheduledTasks.xml
  ShareName|endswith: \SYSVOL