Detection rules › Splunk
Windows AD GPO Disabled
This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1484.001 Domain or Tenant Policy Modification: Group Policy Modification |
| Defense Evasion | T1484.001 Domain or Tenant Policy Modification: Group Policy Modification, T1562.001 Impair Defenses: Disable or Modify Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5136 | A directory service object was modified. |
Stages and Predicates
Stage 1: search
search AttributeLDAPDisplayName="flags" AttributeValue!=0 EventCode=5136 OperationType="%%14674"
Stage 2: eval
eval ... using (AttributeValue)
Stage 3: join
join type=inner (...)
Stage 4: stats
stats BY ObjectDN, SubjectLogonId, dest
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
AttributeLDAPDisplayName | eq |
|
AttributeValue | ne |
|
EventCode | eq |
|
OperationType | eq |
|
admonEventType | eq |
|
objectCategory | eq |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Windows AD Dangerous Deny ACL Modification (drops 3 filters this rule applies)
- Windows AD Object Owner Updated (drops 3 filters this rule applies)
- Windows AD Self DACL Assignment (drops 3 filters this rule applies)