detection.wiki

Detection rules › Splunk

Windows AD GPO New CSE Addition

Author
Dean Luxton
Source
upstream

This detection identifies when a a new client side extension is added to an Active Directory Group Policy using the Group Policy Management Console.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1484.001 Domain or Tenant Policy Modification: Group Policy Modification
Defense EvasionT1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification, T1484.001 Domain or Tenant Policy Modification: Group Policy Modification

Event coverage

ProviderEvent IDTitle
Security-Auditing5136A directory service object was modified.

Stages and Predicates

Stage 1: search

search AttributeLDAPDisplayName="gPCMachineExtensionNames" EventCode=5136 ObjectClass="groupPolicyContainer"

Stage 2: stats

stats BY ObjectClass, ObjectDN, OpCorrelationID, src_user, SubjectLogonId

Stage 3: rex

rex field=old_value ...

Stage 4: rex

rex field=new_value ...

Stage 5: rex

rex field=ObjectDN ...

Stage 6: mvexpand

mvexpand

Stage 7: where

where NOT new_values IN ("{00000000-0000-0000-0000-000000000000}", "old_values", "policy_guid") new_values="^\{[A-Z   | \d]+\-[A-Z   | \d]+\-[A-Z   | \d]+\-[A-Z   | \d]+\-[A-Z   | \d]+\}"

Stage 8: lookup

lookup <lookup> displayName, guid, new_values, policyType

Stage 9: eval

eval ... using (new_values, policyType)

Stage 10: join

join type=inner (...)

Stage 11: stats

stats BY ObjectDN

Stage 12: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1new_valuesin"{00000000-0000-0000-0000-000000000000}", old_values, policy_guid

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AttributeLDAPDisplayNameeq
  • gPCMachineExtensionNames corpus 4 (sigma 3, splunk 1)
EventCodeeq
  • 5136 corpus 22 (splunk 22)
ObjectClasseq
  • groupPolicyContainer corpus 4 (splunk 3, sigma 1)
admonEventTypeeq
  • Update corpus 3 (splunk 3)
new_valuesmatch
  • "^\{[A-Z | \d]+\-[A-Z | \d]+\-[A-Z | \d]+\-[A-Z | \d]+\-[A-Z | \d]+\}"
objectCategoryeq
  • "CN=Group-Policy-Container*" corpus 3 (splunk 3)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.