detection.wiki

Detection rules › Sigma

Permissions changed on a Group Policy (GPO)

Status
experimental
Severity
medium
Log source
product windows, service security
Author
mdecrevoisier
Source
github.com/mdecrevoisier/SIGMA-detection-rules

Detects scenarios where an attacker will attempt to take control over a group policy.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1484.001 Domain or Tenant Policy Modification: Group Policy Modification

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 5136A directory service object was modified.

Rule body yaml

title: Permissions changed on a Group Policy (GPO)
description: Detects scenarios where an attacker will attempt to take control over a group policy.
requirements: auditing SACL "Modify permissions" must be placed on the "Policies" container using the Active Directory console (https://www.manageengine.com/products/active-directory-audit/active-directory-auditing-configuration-guide-configure-object-level-auditing-manually.html).
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0005-Defense%20Evasion/T1222.001-File%20and%20Directory%20Permissions%20Modification
tags:
- attack.privilege_escalation
- attack.t1484.001
author: mdecrevoisier
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5136
    AttributeLDAPDisplayName: ntSecurityDescriptor
    ObjectClass: groupPolicyContainer
    OperationType: '%%14674' # Value is added
  filter:
    SubjectUserName: # AGPM servers (to customize)
      - SRVAGPM01$
      - SRVAGPM02$
  condition: selection and not filter
falsepositives:
- Group policy administrator activity / AGPM activity
level: medium

Stages and Predicates

Stage 0: condition

selection and not filter

Stage 1: selection

selection:
  EventID: 5136
  AttributeLDAPDisplayName: ntSecurityDescriptor
  ObjectClass: groupPolicyContainer
  OperationType: '%%14674'

Stage 2: not filter

filter:
  SubjectUserName:
    - SRVAGPM01$
    - SRVAGPM02$

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
SubjectUserNameeqSRVAGPM01$
SubjectUserNameeqSRVAGPM02$

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AttributeLDAPDisplayNameeq
  • ntSecurityDescriptor corpus 7 (sigma 6, elastic 1)
ObjectClasseq
  • groupPolicyContainer corpus 6 (sigma 3, splunk 3)
OperationTypeeq
  • %%14674 corpus 17 (sigma 9, elastic 4, splunk 4)