Detection rules › Sigma
Windows Default Domain GPO Modification via GPME
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1484.001 Domain or Tenant Policy Modification: Group Policy Modification |
| Defense Evasion | T1484.001 Domain or Tenant Policy Modification: Group Policy Modification |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_mmc
or:
Image|endswith: '\mmc.exe'
OriginalFileName: MMC.exe
Stage 2: all of selection_gpme
CommandLine|contains: gpme.msc
CommandLine|contains: 'gpobject:'
Stage 3: all of selection_default_gpos
or:
CommandLine|contains: '31B2F340-016D-11D2-945F-00C04FB984F9'
CommandLine|contains: '6AC1786C-016F-11D2-945F-00C04FB984F9'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|