This detection rule aims to identify modifications made to Group Policy Objects (GPO) that introduce startup or logon scripts. Such modifications can be indicators of malicious actions that exploit the ability to execute arbitrary scripts at user logon or system startup, potentially leading to privilege escalation or malware persistence. The rule monitors specific Windows Security Event IDs (5136 for directory service changes and 5145 for file share access) and looks for certain LDAP attributes associated with the addition of scripts. The primary attributes of interest are 'gPCMachineExtensionNames' and 'gPCUserExtensionNames', which must contain a specific GUID related to GPO modifications for script execution. Additionally, the rule checks for share access to 'SYSVOL', which is where GPO scripts are typically stored, ensuring that only authorized modifications are made. As this rule operates at a medium severity level, it is imperative for security teams to investigate alerts carefully, accounting for the potential for legitimate administrative activity that may also trigger this detection.