legitimate use of gpme to modify gpos

t1484
t1484.001
windows
sigma

Techniques

t1484
t1484.001

Sample rules

Windows Default Domain GPO Modification via GPME

source: sigma
technicques:
- t1484
- t1484.001

Description

Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.

Detection logic

condition: all of selection_*
selection_default_gpos:
  CommandLine|contains:
  - 31B2F340-016D-11D2-945F-00C04FB984F9
  - 6AC1786C-016F-11D2-945F-00C04FB984F9
selection_gpme:
  CommandLine|contains|all:
  - gpme.msc
  - 'gpobject:'
selection_mmc:
- Image|endswith: \mmc.exe
- OriginalFileName: MMC.exe