Techniques
Sample rules
Windows Default Domain GPO Modification
- source: sigma
- technicques:
- t1484
- t1484.001
Description
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
Detection logic
condition: selection
selection:
EventID: 5136
ObjectClass: groupPolicyContainer
ObjectDN|startswith:
- CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM
- CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM