splApache-2.0from splunk/security_content
Windows Default Group Policy Object Modified
The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers Policy` and `Default Domain Policy`, which are critical for enforcing security settings across domain controllers and all users/computers, respectively. This activity is significant because unauthorized changes to these GPOs can indicate an adversary with privileged access attempting to deploy persistence mechanisms or execute malware across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_default_group_policy_object_modified.yml
`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*" OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*")
| stats min(_time) as firstTime max(_time) as lastTime
BY ObjectDN SubjectUserSid AttributeValue
Computer DSName dest
| rename AttributeValue as versionNumber
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_default_group_policy_object_modified_filter`