Windows Admon Default Group Policy Object Modified

name: Windows Admon Default Group Policy Object Modified
id: 83458004-db60-4170-857d-8572f16f070b
version: 10
date: '2026-03-10'
author: Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
    - Windows Active Directory Admon
description: The following analytic detects modifications to the default Group Policy Objects (GPOs) in an Active Directory environment. It leverages Splunk's Admon to monitor updates to the "Default Domain Policy" and "Default Domain Controllers Policy." This activity is significant because changes to these default GPOs can indicate an adversary with privileged access attempting to gain further control, establish persistence, or deploy malware across multiple hosts. If confirmed malicious, such modifications could lead to widespread policy enforcement changes, unauthorized access, and potential compromise of the entire domain environment.
search: |-
    `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy")
      | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath)
        BY dcName, displayName
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_admon_default_group_policy_object_modified_filter`
how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://help.splunk.com/en/splunk-cloud-platform/get-started/get-data-in/9.3.2411/get-windows-data/monitor-active-directory
known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.
references:
    - https://attack.mitre.org/techniques/T1484/
    - https://attack.mitre.org/techniques/T1484/001
    - https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/
    - https://adsecurity.org/?p=2716
    - https://help.splunk.com/en/splunk-cloud-platform/get-started/get-data-in/9.3.2411/get-windows-data/monitor-active-directory
drilldown_searches:
    - name: View the detection results for - "$dcName$"
      search: '%original_detection_search% | search  dcName = "$dcName$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dcName$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A default domain group policy was updated on $dcName$
    risk_objects:
        - field: dcName
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Active Directory Privilege Escalation
        - Sneaky Active Directory Persistence Tricks
    asset_type: Endpoint
    mitre_attack_id:
        - T1484.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log
          source: ActiveDirectory
          sourcetype: ActiveDirectory