Techniques
Sample rules
Windows Default Group Policy Object Modified
- source: splunk
- technicques:
- T1484
- T1484.001
Description
The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the Default Domain Controllers Policy and Default Domain Policy, which are critical for enforcing security settings across domain controllers and all users/computers, respectively. This activity is significant because unauthorized changes to these GPOs can indicate an adversary with privileged access attempting to deploy persistence mechanisms or execute malware across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts.
Detection logic
`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*" OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*")
| stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName
| rename AttributeValue as versionNumber
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_default_group_policy_object_modified_filter`
Windows Admon Default Group Policy Object Modified
- source: splunk
- technicques:
- T1484
- T1484.001
Description
The following analytic detects modifications to the default Group Policy Objects (GPOs) in an Active Directory environment. It leverages Splunk’s Admon to monitor updates to the “Default Domain Policy” and “Default Domain Controllers Policy.” This activity is significant because changes to these default GPOs can indicate an adversary with privileged access attempting to gain further control, establish persistence, or deploy malware across multiple hosts. If confirmed malicious, such modifications could lead to widespread policy enforcement changes, unauthorized access, and potential compromise of the entire domain environment.
Detection logic
`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy")
| stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_admon_default_group_policy_object_modified_filter`
Windows Default Group Policy Object Modified with GPME
- source: splunk
- technicques:
- T1484
- T1484.001
Description
The following analytic detects modifications to default Group Policy Objects (GPOs) using the Group Policy Management Editor (GPME). It leverages the Endpoint data model to identify processes where mmc.exe executes gpme.msc with specific GUIDs related to default GPOs. This activity is significant because default GPOs, such as the Default Domain Controllers Policy and Default Domain Policy, are critical for enforcing security policies across the domain. If malicious, such modifications could allow an attacker to gain further access, establish persistence, or deploy malware across numerous hosts, severely compromising the network’s security.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = "*31B2F340-016D-11D2-945F-00C04FB984F9*" OR Processes.process = "*6AC1786C-016F-11D2-945F-00C04fB984F9*" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_default_group_policy_object_modified_with_gpme_filter`