← Library
splApache-2.0from splunk/security_content

Windows Admon Group Policy Object Created

The following analytic detects the creation of a new Group Policy Object (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, excluding default "New Group Policy Object" entries. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_admon_group_policy_object_created.yml
`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object"
  | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath)
    BY dcName, displayName
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_admon_group_policy_object_created_filter`