LoFP / if the source ip is not localhost then it's super suspicious, better to monitor both local and remote changes to gpo scheduledtasks

Techniques

Sample rules

Persistence and Execution at Scale via GPO Scheduled Task

source: sigma
technicques:
- t1053
- t1053.005

Description

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Detection logic

condition: selection
selection:
  Accesses|contains:
  - WriteData
  - '%%4417'
  EventID: 5145
  RelativeTargetName|endswith: ScheduledTasks.xml
  ShareName: \\\\\*\\SYSVOL