LoFP / legitimate uses of logon scripts distributed via group policy

Techniques

t1218

Sample rules

Gpscript Execution

source: sigma
technicques:
- t1218

Description

Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy

Detection logic

condition: all of selection_* and not 1 of filter_main_*
filter_main_svchost:
  ParentCommandLine: C:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
selection_cli:
  CommandLine|contains:
  - ' /logon'
  - ' /startup'
selection_img:
- Image|endswith: \gpscript.exe
- OriginalFileName: GPSCRIPT.EXE