From 8288d4be9f646d5c6501a0ed6a0afc152f5aa32d Mon Sep 17 00:00:00 2001
From: Josh <joshnck@gmail.com>
Date: Fri, 6 Sep 2024 05:41:18 -0400
Subject: [PATCH] Merge PR #5001 from @joshnck - Add `Startup/Logon Script
 Added to Group Policy Object`

new: Startup/Logon Script Added to Group Policy Object
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ...oup_policy_startup_script_added_to_gpo.yml | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml

diff --git a/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml
new file mode 100644
index 00000000000..e9baa491f96
--- /dev/null
+++ b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml
@@ -0,0 +1,41 @@
+title: Startup/Logon Script Added to Group Policy Object
+id: 123e4e6d-b123-48f8-b261-7214938acaf0
+status: experimental
+description: |
+    Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
+references:
+    - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
+author: Elastic, Josh Nickels, Marius Rothenbücher
+date: 2024-09-06
+tags:
+    - attack.privilege-escalation
+    - attack.t1484.001
+    - attack.t1547
+logsource:
+    product: windows
+    service: security
+    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+detection:
+    selection_eventid:
+        EventID:
+            - 5136
+            - 5145
+    selection_attributes_main:
+        AttributeLDAPDisplayName:
+            - 'gPCMachineExtensionNames'
+            - 'gPCUserExtensionNames'
+        AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
+    selection_attributes_optional:
+        AttributeValue|contains:
+            - '40B6664F-4972-11D1-A7CA-0000F87571E3'
+            - '40B66650-4972-11D1-A7CA-0000F87571E3'
+    selection_share:
+        ShareName|endswith: '\SYSVOL'
+        RelativeTargetName|endswith:
+            - '\scripts.ini'
+            - '\psscripts.ini'
+        AccessList|contains: '%%4417'
+    condition: selection_eventid and (all of selection_attributes_* or selection_share)
+falsepositives:
+    - Legitimate execution by system administrators.
+level: medium