Techniques
Sample rules
Startup/Logon Script Added to Group Policy Object
- source: sigma
- technicques:
- t1484
- t1484.001
- t1547
Description
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Detection logic
condition: selection_eventid and (all of selection_attributes_* or selection_share)
selection_attributes_main:
AttributeLDAPDisplayName:
- gPCMachineExtensionNames
- gPCUserExtensionNames
AttributeValue|contains: 42B5FAAE-6536-11D2-AE5A-0000F87571E3
selection_attributes_optional:
AttributeValue|contains:
- 40B6664F-4972-11D1-A7CA-0000F87571E3
- 40B66650-4972-11D1-A7CA-0000F87571E3
selection_eventid:
EventID:
- 5136
- 5145
selection_share:
AccessList|contains: '%%4417'
RelativeTargetName|endswith:
- \scripts.ini
- \psscripts.ini
ShareName|endswith: \SYSVOL