Windows Group Policy Object Created

Author: Mauricio Velazco
Source: upstream

The following analytic detects the creation of a new Group Policy Object (GPO) by leveraging Event IDs 5136 and 5137. This detection uses directory service change events to identify when a new GPO is created. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, leading to widespread compromise and significant operational disruption.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078.002` Valid Accounts: Domain Accounts
Persistence	`T1078.002` Valid Accounts: Domain Accounts
Privilege Escalation	`T1078.002` Valid Accounts: Domain Accounts, `T1484.001` Domain or Tenant Policy Modification: Group Policy Modification
Defense Evasion	`T1078.002` Valid Accounts: Domain Accounts, `T1484.001` Domain or Tenant Policy Modification: Group Policy Modification

Event coverage

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.
Security-Auditing	5137	A directory service object was created.

Stages and Predicates

Stage 1: `search`

search (((AttributeLDAPDisplayName="displayName" OR AttributeLDAPDisplayName="gPCFileSysPath") AttributeValue!="New Group Policy Object" EventCode=5136) OR EventCode=5137) ObjectClass="groupPolicyContainer"

Stage 2: `stats`

stats BY ObjectGUID, Computer, dest

Stage 3: `eval`

eval ... using (details)

Stage 4: `eval`

eval ... using (details)

Stage 5: `fields`

fields details

Stage 6: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AttributeLDAPDisplayName`	eq	`displayName` `gPCFileSysPath`
`AttributeValue`	ne	`"New Group Policy Object"`
`EventCode`	eq	`5136` corpus 22 (splunk 22) `5137` corpus 3 (splunk 3)
`ObjectClass`	eq	`groupPolicyContainer` corpus 4 (splunk 3, sigma 1)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Potential Kerberos Coercion via DNS-Based SPN Spoofing [elastic]
Suspicious Remote Registry Access via SeBackupPrivilege [elastic]
Startup/Logon Script added to Group Policy Object [elastic]
Scheduled Task Execution at Scale via GPO [elastic]
Persistence and Execution at Scale via GPO Scheduled Task [sigma]
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation [sigma]
Startup/Logon Script Added to Group Policy Object [sigma]
Windows AD Short Lived Server Object [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation [sigma]
Windows Kerberos Coercion via DNS [splunk]
Windows Short Lived DNS Record [splunk]