detection.wiki

ATT&CK coverage › Technique

Domain or Tenant Policy Modification: Group Policy Modification T1484.001

Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.

Events covered

6 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.
Security-Auditing5136A directory service object was modified.
Security-Auditing5137A directory service object was created.
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 15 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (16 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
AttributeLDAPDisplayName10eq 10gPCMachineExtensionNames, gPCUserExtensionNames, gpLink, flags, versionNumber
AttributeValue7match 5, ne 2803E14A0-B4FB-11D0-A0D0-00A0C90F574B, 827D319E-6EAC-11D2-A4EA-00C04F79F83A, 42B5FAAE-6536-11D2-AE5A-0000F87571E3, 40B66650-4972-11D1-A7CA-0000F87571E3, 40B6664F-4972-11D1-A7CA-0000F87571E3
EventID5eq 55136, 5137
ObjectClass4eq 4groupPolicyContainer
RelativeTargetName3ends_with 3\scripts.ini, \psscripts.ini, ScheduledTasks.xml
AccessList3match 3%%4417
ShareName3wildcard 2, ends_with 1\\*\SYSVOL, \SYSVOL
objectCategory3eq 3"CN=Group-Policy-Container*"
admonEventType3eq 3Update
Image2ends_with 2\reg.exe, \mmc.exe
OriginalFileName2eq 2reg.exe, MMC.exe
CommandLine2match 2\SOFTWARE\Policies\Microsoft\Windows\System, EnableSmartScreen, GroupPolicyRefreshTimeDC, 31B2F340-016D-11D2-945F-00C04FB984F9, gpme.msc
ObjectDN2starts_with 1, eq 1CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM, CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM, "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN..., "CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN...
ScriptBlockText1match 1\SOFTWARE\Policies\Microsoft\Windows\System, EnableSmartScreen, GroupPolicyRefreshTimeDC
OperationType1eq 1"%%14674"

Top indicator values (55 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
AttributeLDAPDisplayNameeqgPCMachineExtensionNames64
EventIDeq5136522
ObjectClasseqgroupPolicyContainer44
AttributeLDAPDisplayNameeqgPCUserExtensionNames32
AccessListmatch%%441733
objectCategoryeq"CN=Group-Policy-Container*"33
admonEventTypeeqUpdate33
AttributeValuematch803E14A0-B4FB-11D0-A0D0-00A0C90F574B2
AttributeValuematch827D319E-6EAC-11D2-A4EA-00C04F79F83A2
ShareNamewildcard\\*\SYSVOL22
AttributeValuematch40B66650-4972-11D1-A7CA-0000F87571E32
RelativeTargetNameends_with\scripts.ini2
RelativeTargetNameends_with\psscripts.ini2
AttributeValuematch42B5FAAE-6536-11D2-AE5A-0000F87571E32
AttributeValuematch40B6664F-4972-11D1-A7CA-0000F87571E32
AttributeValuematchAADCED64-746C-4633-A97C-D613490465271
AttributeValuematchCAB54552-DEEA-4691-817E-ED4A4D1AFC721
RelativeTargetNameends_withScheduledTasks.xml1
OriginalFileNameeqreg.exe129
Imageends_with\reg.exe146

Common exclusions (4 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
old_dneqnew_dn1
new_valuesinold_values1
new_valuesin"{00000000-0000-0000-0000-000000000000}"1
new_valuesinpolicy_guid1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 6 rules

Elastic 3 rules

Splunk 5 rules

Kusto Query Language 1 rule