Use the below advanced hunting queries to detect when scripts are added/modified within the SYSVOL share and Group Policy logon scripts executed on clients.
// scripts added/modified in SSYSVVOL
let domainsysvol = @"\\corp.net\SysVol\";
DeviceFileEvents
| where FolderPath startswith domainsysvol
| where FileName has_any (".exe",".ps1",".bat",".cmd","vbs","wsh",".wsf",".py")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountUpn
// Logon Script execution
DeviceProcessEvents
| where FileName == "powershell.exe" or FileName == "cmd.exe"
| where InitiatingProcessFileName == 'gpscript.exe'
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine
// GPO Logon Script registry
DeviceRegistryEvents
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts"
| where RegistryValueData contains @"\SysVol\"
| where RegistryValueData has_any (".exe",".ps1",".bat",".cmd","vbs","wsh",".wsf",".py")
| project Timestamp, DeviceName, RegistryValueData, RegistryKey
This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
Technique, tactic, or state | Covered? (v=yes) | Notes |
---|---|---|
Initial access | ||
Execution | ||
Persistence | ||
Privilege escalation | v | |
Defense evasion | v | https://attack.mitre.org/techniques/T1484/ |
Credential Access | ||
Discovery | ||
Lateral movement | ||
Collection | ||
Command and control | ||
Exfiltration | ||
Impact | ||
Vulnerability | ||
Misconfiguration | ||
Malware, component |
Contributor: Alex Verboon