Techniques
Sample rules
Group Policy Abuse for Privilege Addition
- source: sigma
- technicques:
- t1484
- t1484.001
Description
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Detection logic
condition: selection
selection:
AttributeLDAPDisplayName: gPCMachineExtensionNames
AttributeValue|contains:
- 827D319E-6EAC-11D2-A4EA-00C04F79F83A
- 803E14A0-B4FB-11D0-A0D0-00A0C90F574B
EventID: 5136