splApache-2.0from splunk/security_content
Windows Admon Default Group Policy Object Modified
The following analytic detects modifications to the default Group Policy Objects (GPOs) in an Active Directory environment. It leverages Splunk's Admon to monitor updates to the "Default Domain Policy" and "Default Domain Controllers Policy." This activity is significant because changes to these default GPOs can indicate an adversary with privileged access attempting to gain further control, establish persistence, or deploy malware across multiple hosts. If confirmed malicious, such modifications could lead to widespread policy enforcement changes, unauthorized access, and potential compromise of the entire domain environment.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_admon_default_group_policy_object_modified.yml
`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy")
| stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath)
BY dcName, displayName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_admon_default_group_policy_object_modified_filter`