Techniques
Sample rules
Persistence and Execution at Scale via GPO Scheduled Task
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
Detection logic
condition: selection
selection:
Accesses|contains:
- WriteData
- '%%4417'
EventID: 5145
RelativeTargetName|endswith: ScheduledTasks.xml
ShareName: \\\\\*\\SYSVOL