detection.wiki

Detection rules › Elastic

Group Policy Abuse for Privilege Addition

Author
Elastic
Source
upstream

Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1484 Domain or Tenant Policy Modification, T1484.001 Domain or Tenant Policy Modification: Group Policy Modification
Defense EvasionT1484 Domain or Tenant Policy Modification, T1484.001 Domain or Tenant Policy Modification: Group Policy Modification

Event coverage

ProviderEvent IDTitle
Security-Auditing5136A directory service object was modified.

Stages and Predicates

Stage 1: eql:any

winlog.event_data.AttributeLDAPDisplayName:"gPCMachineExtensionNames" and winlog.event_data.AttributeValue:"803E14A0-B4FB-11D0-A0D0-00A0C90F574B" and winlog.event_data.AttributeValue:"827D319E-6EAC-11D2-A4EA-00C04F79F83A"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
winlog.event_data.AttributeLDAPDisplayNamewildcard
  • gPCMachineExtensionNames corpus 3 (elastic 3)
winlog.event_data.AttributeValuewildcard
  • *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*
  • *827D319E-6EAC-11D2-A4EA-00C04F79F83A*