some legitimate scheduled tasks are occasionally created via group policy objects in managed environments. filter alerts for approved gpo deployments to reduce false positives.

Techniques

Sample rules

Windows Scheduled Task Created in a Group Policy Object

source: splunk
technicques:
- T1484.001
- T1053.005

Description

When a scheduled task is created within a Group Policy, a characteristic file ScheduledTasks.xml with its definition is created in the respective subfolder of the SYSVOL share. This rule can hit on legitimate GPO scheduled task creation, but this does not happen often and is therefore an effective way to monitor for malicious scheduled tasks.

Detection logic

`wineventlog_security`
EventID=5145
ShareName="\\*\\SYSVOL"
RelativeTargetName="*\\ScheduledTasks\\ScheduledTasks.xml"
RelativeTargetName="*\\Policies\\*"
AccessList IN (
    "*%%4417*",
    "*%%4418*"
)

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer ShareName RelativeTargetName AccessList


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_scheduled_task_created_in_a_group_policy_object_filter`