detection.wiki

Detection rules › Sigma

Group Policy Abuse for Privilege Addition

Status
test
Severity
medium
Log source
product windows, service security
Author
Elastic, Josh Nickels, Marius Rothenbücher
Source
github.com/SigmaHQ/sigma

Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1484.001 Domain or Tenant Policy Modification: Group Policy Modification
Defense ImpairmentT1484.001 Domain or Tenant Policy Modification: Group Policy Modification

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 5136A directory service object was modified.

Rule body yaml

title: Group Policy Abuse for Privilege Addition
id: 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
status: test
description: |
    Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
author: Elastic, Josh Nickels, Marius Rothenbücher
references:
    - https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275
date: 2024-09-04
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    product: windows
    service: security
    definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events.'
detection:
    selection:
        EventID: 5136
        AttributeLDAPDisplayName: 'gPCMachineExtensionNames'
        AttributeValue|contains:
            - '827D319E-6EAC-11D2-A4EA-00C04F79F83A'
            - '803E14A0-B4FB-11D0-A0D0-00A0C90F574B'
    condition: selection
falsepositives:
    - Users allowed to perform these modifications (user found in field SubjectUserName)
level: medium

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    EventID: 5136
    AttributeLDAPDisplayName: 'gPCMachineExtensionNames'
    AttributeValue|contains:
        - '827D319E-6EAC-11D2-A4EA-00C04F79F83A'
        - '803E14A0-B4FB-11D0-A0D0-00A0C90F574B'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AttributeLDAPDisplayNameeq
  • gPCMachineExtensionNames corpus 7 (sigma 3, elastic 3, splunk 1)
AttributeValuematch
  • 803E14A0-B4FB-11D0-A0D0-00A0C90F574B corpus 2 (sigma 1, elastic 1)
  • 827D319E-6EAC-11D2-A4EA-00C04F79F83A corpus 2 (sigma 1, elastic 1)