detection.wiki

Detection rules › Splunk

Windows AD GPO Deleted

Author
Dean Luxton
Source
upstream

This detection identifies when an Active Directory Group Policy is deleted using the Group Policy Management Console.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1484.001 Domain or Tenant Policy Modification: Group Policy Modification
Defense EvasionT1484.001 Domain or Tenant Policy Modification: Group Policy Modification, T1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Security-Auditing5136A directory service object was modified.

Stages and Predicates

Stage 1: search

search AttributeLDAPDisplayName="gpLink" EventCode=5136

Stage 2: eval

eval ...

Stage 3: stats

stats BY OpCorrelationID, ObjectDN, SubjectLogonId

Stage 4: rex

rex field=old_value ...

Stage 5: rex

rex field=new_value ...

Stage 6: mvexpand

mvexpand

Stage 7: where

where NOT old_dn="new_dn"

Stage 8: eval

eval ... using (old_dn)

Stage 9: join

join type=inner (...)

Stage 10: stats

stats BY ObjectDN, SubjectLogonId

Stage 11: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1old_dneqnew_dn

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AttributeLDAPDisplayNameeq
  • gpLink
EventCodeeq
  • 5136 corpus 22 (splunk 22)
admonEventTypeeq
  • Update corpus 3 (splunk 3)
objectCategoryeq
  • "CN=Group-Policy-Container*" corpus 3 (splunk 3)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.