Windows Admon Group Policy Object Created

name: Windows Admon Group Policy Object Created
id: 69201633-30d9-48ef-b1b6-e680805f0582
version: 12
creation_date: '2023-03-28'
modification_date: '2026-05-13'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic detects the creation of a new Group Policy Object (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, excluding default "New Group Policy Object" entries. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security.
data_source:
    - Windows Active Directory Admon
search: |-
    `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object"
      | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath)
        BY dcName, displayName
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_admon_group_policy_object_created_filter`
how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://help.splunk.com/en/splunk-cloud-platform/get-started/get-data-in/9.3.2411/get-windows-data/monitor-active-directory
known_false_positives: Group Policy Objects are created as part of regular administrative operations, filter as needed.
references:
    - https://attack.mitre.org/techniques/T1484/
    - https://attack.mitre.org/techniques/T1484/001
    - https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/
    - https://adsecurity.org/?p=2716
    - https://help.splunk.com/en/splunk-cloud-platform/get-started/get-data-in/9.3.2411/get-windows-data/monitor-active-directory
drilldown_searches:
    - name: View the detection results for - "$dcName$"
      search: '%original_detection_search% | search  dcName = "$dcName$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dcName$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: A new group policy objected was created on $dcName$
    entity:
        field: dcName
        type: system
        score: 50
analytic_story:
    - Active Directory Privilege Escalation
    - Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
mitre_attack_id:
    - T1484.001
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log
          source: ActiveDirectory
          sourcetype: ActiveDirectory
      test_type: unit