LoFP / group policy objects are created as part of regular administrative operations, filter as needed.

Techniques

• T1078.002
• T1484
• T1484.001

Sample rules

Windows Admon Group Policy Object Created

• source: splunk
• technicques:
  • T1484
  • T1484.001

Description

The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects.

Detection logic

 `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object" 
| stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_admon_group_policy_object_created_filter`

Windows Group Policy Object Created

• source: splunk
• technicques:
  • T1484
  • T1484.001
  • T1078.002

Description

The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects.

Detection logic

 `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!="New Group Policy Object" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer 
| stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer 
| eval GPO_Name = mvindex(details, 0) 
| eval GPO_Path = mvindex(details, 1) 
| fields - details 
| `windows_group_policy_object_created_filter`