Use the below advanced hunting queries to detect when scripts are added/modified within the SYSVOL share and Group Policy logon scripts executed on clients.
// scripts added/modified in SSYSVVOL
let domainsysvol = @"\\corp.net\SysVol\";
DeviceFileEvents
| where FolderPath startswith domainsysvol
| where FileName has_any (".exe",".ps1",".bat",".cmd","vbs","wsh",".wsf",".py")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountUpn
// Logon Script execution
DeviceProcessEvents
| where FileName == "powershell.exe" or FileName == "cmd.exe"
| where InitiatingProcessFileName == 'gpscript.exe'
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine// GPO Logon Script registry
DeviceRegistryEvents
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts"
| where RegistryValueData contains @"\SysVol\"
| where RegistryValueData has_any (".exe",".ps1",".bat",".cmd","vbs","wsh",".wsf",".py")
| project Timestamp, DeviceName, RegistryValueData, RegistryKeyThis query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | ||
| Execution | ||
| Persistence | ||
| Privilege escalation | v | |
| Defense evasion | v | https://attack.mitre.org/techniques/T1484/ |
| Credential Access | ||
| Discovery | ||
| Lateral movement | ||
| Collection | ||
| Command and control | ||
| Exfiltration | ||
| Impact | ||
| Vulnerability | ||
| Misconfiguration | ||
| Malware, component |
Contributor: Alex Verboon