title: Persistence and Execution at Scale via GPO Scheduled Task id: a8f29a7b-b137-4446-80a0-b804272f3da2 description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale author: Samir Bousseaden date: 2019/04/03 references: - https://twitter.com/menasec1/status/1106899890377052160 tags: - attack.persistence - attack.lateral_movement - attack.t1053 logsource: product: windows service: security description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: selection: EventID: 5145 ShareName: \\*\SYSVOL RelativeTargetName: '*ScheduledTasks.xml' Accesses: '*WriteData*' condition: selection falsepositives: - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks level: high