Startup/Logon Script Added to Group Policy Object

Rule Info

Name
Startup/Logon Script Added to Group Policy Object
Author
Elastic, Josh Nickels, Marius Rothenbücher
Description
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Reference
https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
Date
2024-09-06 00:00:00
Modified
None
Id
123e4e6d-b123-48f8-b261-7214938acaf0
Tags
attack.privilege-escalation attack.t1484.001 attack.t1547 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=123e4e6d-b123-48f8-b261-7214938acaf0

Rule History

Author
Title
Date
Commit
Josh
Merge PR #5001 from @joshnck - Add `Startup/Logon Script Added to Group Policy Object`
2024-09-06
8288d4be9
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022