20 строки
962 B
YAML
20 строки
962 B
YAML
id: a1a06ba2-87f8-11ec-a8a3-0242ac120002
|
|
name: Large Scale Malware Deployment via GPO Scheduled Task Modification
|
|
description: |
|
|
'This query detects lateral movement using GPO scheduled task usually used to deploy ransomware at scale.
|
|
It monitors whether a scheduled task is modified within the Sysvol folder in GPO.
|
|
Ref: https://bogusecurity.com/2019/12/26/persistence-and-execution-at-scale-via-gpo-scheduled-task/'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- LateralMovement
|
|
relevantTechniques:
|
|
- T1484
|
|
query: |
|
|
SecurityEvent
|
|
| where EventID == 5145
|
|
| where ShareName == "\\\\*\\SYSVOL" and RelativeTargetName endswith "ScheduledTasks.xml" and AccessList contains "%%4417"
|
|
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectDomainName, SubjectUserName, SubjectLogonId, ShareName, RelativeTargetName, AccessList, IpAddress
|