EXPLORE
Sign In
← Back to Explore
T1484.001

Group Policy Modification

Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Pers...

Windows
18
Detections
3
Sources
4
Threat Actors

BY SOURCE

8splunk_escu6sigma4elastic

PROCEDURES (12)

Authentication Monitoring3 detections

Auto-extracted: 3 detections for authentication monitoring

Privilege2 detections

Auto-extracted: 2 detections for privilege

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Startup2 detections

Auto-extracted: 2 detections for startup

Persist2 detections

Auto-extracted: 2 detections for persist

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Service1 detections

Auto-extracted: 1 detections for service

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Persist1 detections

Auto-extracted: 1 detections for persist

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

THREAT ACTORS (4)

APT41Cinnamon TempestIndrik SpiderStorm-0501

DETECTIONS (18)

Creation or Modification of a new GPO Scheduled Task or Service
elasticlow
Group Policy Abuse for Privilege Addition
sigmamedium
Group Policy Abuse for Privilege Addition
elastichigh
Modify Group Policy Settings
sigmamedium
Modify Group Policy Settings - ScriptBlockLogging
sigmamedium
Scheduled Task Execution at Scale via GPO
elasticmedium
Startup/Logon Script added to Group Policy Object
elasticmedium
Startup/Logon Script Added to Group Policy Object
sigmamedium
Windows AD GPO Deleted
splunk_escu
Windows AD GPO Disabled
splunk_escu
Windows AD GPO New CSE Addition
splunk_escu
Windows Admon Default Group Policy Object Modified
splunk_escu
Windows Admon Group Policy Object Created
splunk_escu
Windows Default Domain GPO Modification
sigmamedium
Windows Default Domain GPO Modification via GPME
sigmamedium
Windows Default Group Policy Object Modified
splunk_escu
Windows Default Group Policy Object Modified with GPME
splunk_escu
Windows Group Policy Object Created
splunk_escu