detection.wiki

Detection rules › Sigma

Suspicious modification of a sensitive Group Policy (GPO)

Status
experimental
Severity
medium
Log source
product windows, service security
Author
mdecrevoisier
Source
github.com/mdecrevoisier/SIGMA-detection-rules

Detects scenarios where an attacker will attempt to take control over a group policy.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1484.001 Domain or Tenant Policy Modification: Group Policy Modification

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 5136A directory service object was modified.

Rule body yaml

title: Suspicious modification of a sensitive Group Policy (GPO)
description: Detects scenarios where an attacker will attempt to take control over a group policy.
requirements: native and existing auditing SACL ("Write all properties") should already be present on "Policies" container.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0004-Privilege%20Escalation/T1484.001-Domain%20Policy%20Modification-Group%20Policy%20Modification
tags:
- attack.privilege_escalation
- attack.t1484.001
author: mdecrevoisier
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5136
    AttributeLDAPDisplayName: versionNumber
    ObjectClass: groupPolicyContainer
    OperationType: '%%14674' # Value is added
    ObjectGUID|contains:     # List of sensitive GPO GUID
      - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  filter:
    AttributeValue: '0' # First value when GPO is created. Refers to the GPO version number.
  condition: selection and not filter
falsepositives:
- Group policy administrator activity / AGPM activity
level: medium

Stages and Predicates

Stage 0: condition

selection and not filter

Stage 1: selection

selection:
  EventID: 5136
  AttributeLDAPDisplayName: versionNumber
  ObjectClass: groupPolicyContainer
  OperationType: '%%14674'
  ObjectGUID|contains:
    - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Stage 2: not filter

filter:
  AttributeValue: '0'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
AttributeValueeq0

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AttributeLDAPDisplayNameeq
  • versionNumber corpus 2 (sigma 1, splunk 1)
ObjectClasseq
  • groupPolicyContainer corpus 6 (sigma 3, splunk 3)
ObjectGUIDmatch
  • xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
OperationTypeeq
  • %%14674 corpus 17 (sigma 9, elastic 4, splunk 4)