Large Scale Malware Deployment via GPO Scheduled Task Modification

Hunt Hypothesis

Adversaries may modify GPO scheduled tasks in the Sysvol folder to deploy malware at scale, leveraging administrative privileges to propagate laterally within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate large-scale ransomware deployment attempts early.

KQL Query

SecurityEvent
   | where EventID == 5145 
   | where ShareName == "\\\\*\\SYSVOL" and RelativeTargetName endswith "ScheduledTasks.xml" and AccessList contains "%%4417"
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectDomainName, SubjectUserName, SubjectLogonId, ShareName, RelativeTargetName, AccessList, IpAddress

Analytic Rule Definition

id: a1a06ba2-87f8-11ec-a8a3-0242ac120002
name: Large Scale Malware Deployment via GPO Scheduled Task Modification
description: |
  'This query detects lateral movement using GPO scheduled task usually used to deploy ransomware at scale.
   It monitors whether a scheduled task is modified within the Sysvol folder in GPO.
   Ref: https://bogusecurity.com/2019/12/26/persistence-and-execution-at-scale-via-gpo-scheduled-task/'
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
tactics:
  - LateralMovement
relevantTechniques:
  - T1484
query: |
 SecurityEvent
    | where EventID == 5145 
    | where ShareName == "\\\\*\\SYSVOL" and RelativeTargetName endswith "ScheduledTasks.xml" and AccessList contains "%%4417"
    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectDomainName, SubjectUserName, SubjectLogonId, ShareName, RelativeTargetName, AccessList, IpAddress

Required Data Sources

Sentinel Table	Notes
`SecurityEvent`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: LateralMovement
Technique: T1484 — T1484

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/SecurityEvent/LargeScaleMalwareDeploymentGPOScheduledTask.yaml)

False Positive Guidance

Scenario: Regular GPO Scheduled Task Maintenance
Description: An administrator updates a legitimate scheduled task used for system maintenance or patch deployment via GPO.
Filter/Exclusion: taskname NOT LIKE '%Patch%' AND taskname NOT LIKE '%Maintenance%'
Scenario: User-Initiated GPO Deployment via PowerShell
Description: A sysadmin uses PowerShell to deploy a scheduled task via GPO as part of a routine configuration management process.
Filter/Exclusion: processname NOT IN ('powershell.exe', 'cmd.exe') OR user NOT IN ('Domain Admins')
Scenario: Scheduled Backup Job Modified via GPO
Description: A backup solution (e.g., Veeam, Commvault) is configured via GPO to run a scheduled task for data backups.
Filter/Exclusion: taskname LIKE '%Backup%' OR taskname LIKE '%Veeam%'
Scenario: Group Policy Preferences (GPP) Deployment
Description: An administrator uses GPP to deploy a scheduled task for software updates or configuration settings.
Filter/Exclusion: policyname LIKE '%GPP%' OR policyname LIKE '%Software Update%'
Scenario: Third-Party Tool Configuration via GPO
Description: A third-party tool (e.g., Microsoft Intune, SCCM) is configured via GPO to deploy a scheduled task for endpoint management.
Filter/Exclusion: taskname LIKE '%Intune%' OR taskname LIKE '%SCCM%'