splApache-2.0from splunk/security_content
Windows AD GPO New CSE Addition
This detection identifies when a a new client side extension is added to an Active Directory Group Policy using the Group Policy Management Console.
Quality
35
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_ad_gpo_new_cse_addition.yml
`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType values(dest) as dest
BY ObjectClass ObjectDN OpCorrelationID
src_user SubjectLogonId
| rex field=old_value max_match=10000 "(?P<old_values>\{.*?\})"
| rex field=new_value max_match=10000 "(?P<new_values>\{.*?\})"
| rex field=ObjectDN max_match=10000 "CN=(?P<policy_guid>\{.*?\})"
| mvexpand new_values
| where NOT new_values IN (old_values,"{00000000-0000-0000-0000-000000000000}",policy_guid) AND match(new_values, "^\{[A-Z
| \d]+\-[A-Z
| \d]+\-[A-Z
| \d]+\-[A-Z
| \d]+\-[A-Z
| \d]+\}")
| lookup msad_guid_lookup guid as new_values OUTPUTNEW displayName as policyType
| eval newPolicy=if(policyType like "%",policyType,new_values)
| join ObjectDN [
| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update
| stats latest(displayName) as displayName
BY distinguishedName
| eval ObjectDN=upper(distinguishedName)]
| stats values(OpCorrelationID) as OpCorrelationID values(src_user) as src_user values(SubjectLogonId) as SubjectLogonId values(newPolicy) as newPolicy values(displayName) as policyName
BY ObjectDN
| `windows_ad_gpo_new_cse_addition_filter`