T1484.001

Group Policy Modification

Adversaries may modify Group Policy Objects (GPOs) to subvert intended access controls across a Windows domain, typically to escalate privileges, disable security tools, or enable mass payload distribution. GPOs stored in SYSVOL control centralized user and computer settings across Active Directory environments. Malicious GPO modifications can deploy scheduled tasks, create accounts, grant dangerous privileges like SeEnableDelegationPrivilege, or push ransomware to every domain-joined machine simultaneously. LockBit 2.0/3.0 and Qilin ransomware modified GPOs to disable Windows Defender and propagate malware domain-wide. APT41 used GPO-deployed scheduled tasks for coordinated ransomware deployment. Indrik Spider (Evil Corp), Cinnamon Tempest, and Storm-0501 have all leveraged GPO modification for lateral movement and payload execution at scale. The Empire framework's New-GPOImmediateTask cmdlet and SharpGPOAbuse tool provide ready-made capabilities for GPO abuse by threat actors with sufficient AD permissions.

Microsoft Sentinel / Defender

kusto

// T1484.001 — Group Policy Modification Detection
// Requires: Directory Service Access auditing on Domain Controllers (enables Event IDs 5136/5137/5141)
// Branch 1: Active Directory audit events for GPO object creation and modification
let GPOAuditEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (5136, 5137, 5138, 5141)
| where ObjectClass =~ "groupPolicyContainer"
       or (ObjectDN has "CN=Policies" and ObjectDN has "CN=System")
| extend GPOOperation = case(
    EventID == 5136 and OperationType has "14674", "GPO Attribute Added",
    EventID == 5136 and OperationType has "14675", "GPO Attribute Deleted",
    EventID == 5137, "GPO Object Created",
    EventID == 5138, "GPO Object Undeleted",
    EventID == 5141, "GPO Object Deleted",
    "GPO Object Modified"
)
| extend IsHighRiskAttribute = AttributeLDAPDisplayName in~ (
    "gPCMachineExtensionNames",  // New machine-side policy components (scheduled tasks, scripts)
    "gPCUserExtensionNames",      // New user-side policy components
    "nTSecurityDescriptor",        // GPO ACL change — common for privilege escalation backdoor
    "gPCFileSysPath",              // Points to a different SYSVOL path — redirection attack
    "versionNumber"                // Version increment confirms GPO was actively pushed
)
| extend IsDefaultGPO = ObjectDN has "Default Domain Policy"
              or ObjectDN has "Default Domain Controllers Policy"
| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName,
          GPOOperation, ObjectDN, AttributeLDAPDisplayName, AttributeValue,
          IsHighRiskAttribute, IsDefaultGPO, SubjectLogonId, EventID;
// Branch 2: SYSVOL filesystem changes — where actual GPO policy content lives
// Key files: ScheduledTasks.xml (task injection), GptTmpl.inf (privilege rights, security settings)
//            GPT.INI (version tracking), Registry.xml (registry-based policy)
let SysvolFileChanges = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has @"\SYSVOL\" or FolderPath has @"\sysvol\"
| where FileName in~ ("ScheduledTasks.xml", "GptTmpl.inf", "GPT.INI",
                      "Startup.xml", "Shutdown.xml", "Registry.xml",
                      "Services.xml", "Groups.xml", "Files.xml")
      or FolderPath matches regex @"(?i)\\Policies\\\{[0-9A-Fa-f\-]{36}\}\\"
| extend IsCriticalFile = FileName in~ ("ScheduledTasks.xml", "GptTmpl.inf")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath,
          ActionType, IsCriticalFile,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 3: PowerShell execution of GPO management cmdlets and known attack tools
let GPOToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "New-GPOImmediateTask",     // Empire / PowerView scheduled task injection via GPO
    "New-GPO",                  // Create new GPO
    "Set-GPOLink",              // Link GPO to OU
    "Import-GPO",               // Import GPO settings from backup
    "Set-GPPermissions",        // Modify GPO ACL
    "New-GPLink",               // Alternative GPO link cmdlet
    "Set-GPRegistryValue",      // Set registry policy
    "SharpGPOAbuse",            // Dedicated GPO abuse tool
    "Invoke-GPOZaurr",          // GPO audit/abuse framework
    "Get-GPPermissions",        // GPO permission enumeration (recon)
    "SeEnableDelegationPrivilege", // Dangerous privilege modification via GPO
    "GptTmpl.inf",              // Direct template file reference
    "New-GPPImmediateTask"      // Alternative cmdlet variant
)
| extend IsAttackTool = ProcessCommandLine has_any ("SharpGPOAbuse", "Invoke-GPOZaurr", "New-GPOImmediateTask")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, IsAttackTool;
// Surface all results with unified schema
GPOAuditEvents
| project TimeGenerated, Source="AD_DirectoryAudit", Host=Computer,
          User=strcat(SubjectDomainName, "\\", SubjectUserName),
          Action=GPOOperation, Detail=ObjectDN,
          Attribute=AttributeLDAPDisplayName,
          HighRisk=IsHighRiskAttribute,
          CriticalTarget=IsDefaultGPO,
          CommandContext=""
| union (
    SysvolFileChanges
    | project TimeGenerated=Timestamp, Source="SYSVOL_FileSystem", Host=DeviceName,
              User=InitiatingProcessAccountName,
              Action=strcat("SYSVOL ", ActionType),
              Detail=strcat(FolderPath, "\\", FileName),
              Attribute=FileName,
              HighRisk=IsCriticalFile,
              CriticalTarget=false,
              CommandContext=InitiatingProcessCommandLine
)
| union (
    GPOToolExecution
    | project TimeGenerated=Timestamp, Source="PowerShell_GPOTools", Host=DeviceName,
              User=AccountName,
              Action="GPO Tool Execution",
              Detail=ProcessCommandLine,
              Attribute="PowerShell",
              HighRisk=true,
              CriticalTarget=IsAttackTool,
              CommandContext=ProcessCommandLine
)
| sort by TimeGenerated desc

high severity high confidence

Data Sources

DS: Active Directory Object Modification File: File Modification Process: Process Creation Microsoft Defender for Endpoint Windows Security Audit Logs (Event IDs 5136, 5137, 5141)

Required Tables

SecurityEvent DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate IT administrators using Group Policy Management Console (GPMC) or PowerShell RSAT modules during approved change management windows — generates 5136 events for every modified attribute
Microsoft Endpoint Configuration Manager (MECM/SCCM) or Microsoft Intune modifying GPOs for software deployment, compliance baselines, or device enrollment — look for SYSTEM or service account context
Automated patch management and security hardening tools (CIS-CAT, Tenable, Rapid7) that adjust GPO settings as part of compliance scanning or remediation
GPO backup and restore operations by domain administrators generating large volumes of 5136 events across all policy objects simultaneously
Domain join provisioning processes and Autopilot/MDM enrollment that create or link GPOs as part of device onboarding workflows

Splunk

spl

| union
    [search index=wineventlog sourcetype="WinEventLog:Security" (EventCode=5136 OR EventCode=5137 OR EventCode=5138 OR EventCode=5141)
    | rex field=_raw "Object DN:\s+(?P<ObjectDN>[^\r\n]+)"
    | rex field=_raw "Object Class:\s+(?P<ObjectClass>[^\r\n]+)"
    | rex field=_raw "LDAP Display Name:\s+(?P<AttributeLDAPDisplayName>[^\r\n]+)"
    | rex field=_raw "Attribute Value:\s+(?P<AttributeValue>[^\r\n]+)"
    | rex field=_raw "Subject:\s*\n\s+Security ID:\s+[^\n]+\n\s+Account Name:\s+(?P<SubjectUserName>[^\r\n]+)"
    | rex field=_raw "Account Domain:\s+(?P<SubjectDomainName>[^\r\n]+)"
    | where (ObjectClass="groupPolicyContainer" OR like(ObjectDN, "%CN=Policies%CN=System%"))
    | eval GPOOperation=case(
        EventCode=5136, "GPO Attribute Modified",
        EventCode=5137, "GPO Created",
        EventCode=5138, "GPO Undeleted",
        EventCode=5141, "GPO Deleted",
        true(), "GPO Changed"
    )
    | eval IsHighRisk=if(match(AttributeLDAPDisplayName, "(?i)(gPCMachineExtensionNames|gPCUserExtensionNames|nTSecurityDescriptor|gPCFileSysPath)"), 1, 0)
    | eval IsDefaultGPO=if(match(ObjectDN, "(?i)(Default Domain Policy|Default Domain Controllers Policy)"), 1, 0)
    | eval Source="AD_DirectoryAudit"
    | table _time, host, SubjectUserName, SubjectDomainName, GPOOperation, ObjectDN, AttributeLDAPDisplayName, AttributeValue, IsHighRisk, IsDefaultGPO, Source]
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    | where like(TargetFilename, "%\\SYSVOL\\%") OR like(TargetFilename, "%\\sysvol\\%")
    | eval FileName=mvindex(split(TargetFilename, "\\"), -1)
    | where FileName IN ("ScheduledTasks.xml", "GptTmpl.inf", "GPT.INI", "Startup.xml", "Shutdown.xml", "Registry.xml", "Services.xml", "Groups.xml")
          OR match(TargetFilename, "(?i)\\\\Policies\\\\\{[0-9A-Fa-f\\-]{36}\\}\\\\")
    | eval IsHighRisk=if(FileName IN ("ScheduledTasks.xml", "GptTmpl.inf"), 1, 0)
    | eval GPOOperation="SYSVOL File Created/Modified"
    | eval Source="SYSVOL_FileSystem"
    | eval SubjectUserName=User, ObjectDN=TargetFilename, AttributeLDAPDisplayName=FileName, IsDefaultGPO=0
    | table _time, host, SubjectUserName, GPOOperation, ObjectDN, AttributeLDAPDisplayName, IsHighRisk, IsDefaultGPO, Source, Image, CommandLine]
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
    (CommandLine="*New-GPOImmediateTask*" OR CommandLine="*New-GPO*" OR CommandLine="*Set-GPOLink*"
     OR CommandLine="*Import-GPO*" OR CommandLine="*Set-GPPermissions*" OR CommandLine="*SharpGPOAbuse*"
     OR CommandLine="*Invoke-GPOZaurr*" OR CommandLine="*SeEnableDelegationPrivilege*"
     OR CommandLine="*GptTmpl.inf*" OR CommandLine="*Get-GPPermissions*")
    | eval IsHighRisk=if(match(CommandLine, "(?i)(SharpGPOAbuse|Invoke-GPOZaurr|New-GPOImmediateTask|SeEnableDelegationPrivilege)"), 1, 0)
    | eval GPOOperation="GPO Tool PowerShell Execution"
    | eval Source="PowerShell_GPOTools"
    | eval SubjectUserName=User, ObjectDN=CommandLine, AttributeLDAPDisplayName="PowerShell", IsDefaultGPO=0
    | table _time, host, SubjectUserName, GPOOperation, ObjectDN, AttributeLDAPDisplayName, IsHighRisk, IsDefaultGPO, Source, Image, CommandLine]
| eval RiskScore=if(IsHighRisk=1, 75, 40) + if(IsDefaultGPO=1, 25, 0)
| where RiskScore > 0
| sort - _time
| table _time, Source, host, SubjectUserName, GPOOperation, ObjectDN, AttributeLDAPDisplayName, IsHighRisk, IsDefaultGPO, RiskScore

high severity high confidence

Data Sources

DS: Active Directory Object Modification (Event IDs 5136, 5137, 5141) File: File Creation (Sysmon Event ID 11) Process: Process Creation (Sysmon Event ID 1) Windows Security Event Log Sysmon

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized domain administrators using GPMC or PowerShell RSAT during scheduled change windows — cross-reference SubjectUserName against approved change management records
MECM/SCCM or Intune service accounts performing automated GPO management for device compliance and software deployment
Automated security configuration tools performing GPO-based hardening (CIS Benchmarks, DISA STIG) during maintenance windows
GPO backup and restore procedures that touch multiple SYSVOL files simultaneously
Domain provisioning and imaging workflows that link or create GPOs as part of new OU/site configuration

Elastic Security (EQL)

eql

any where
  (
    /* Branch 1: AD Directory Service Audit Events for GPO Modification */
    event.code in ("5136", "5137", "5138", "5141") and
    event.provider == "Microsoft-Windows-Security-Auditing" and
    (
      winlog.event_data.ObjectClass : "groupPolicyContainer" or
      winlog.event_data.ObjectDN : "*CN=Policies*CN=System*"
    )
  ) or
  (
    /* Branch 2: SYSVOL Filesystem Changes via Sysmon File Create (Event 11) */
    event.category == "file" and
    event.type in ("creation", "change") and
    file.path like~ "*sysvol*" and
    file.name in~ (
      "ScheduledTasks.xml", "GptTmpl.inf", "GPT.INI",
      "Startup.xml", "Shutdown.xml", "Registry.xml",
      "Services.xml", "Groups.xml", "Files.xml"
    )
  ) or
  (
    /* Branch 3: PowerShell GPO Management Cmdlets and Known Attack Tools */
    event.category == "process" and
    process.name in~ ("powershell.exe", "pwsh.exe") and
    process.command_line like~ (
      "*New-GPOImmediateTask*", "*New-GPO *", "*Set-GPOLink*",
      "*Import-GPO*", "*Set-GPPermissions*", "*SharpGPOAbuse*",
      "*Invoke-GPOZaurr*", "*SeEnableDelegationPrivilege*",
      "*GptTmpl.inf*", "*Get-GPPermissions*", "*New-GPLink*",
      "*Set-GPRegistryValue*", "*New-GPPImmediateTask*"
    )
  )

high severity high confidence

Data Sources

Windows Security Event Log (Domain Controllers) — requires Directory Service Access auditing enabled Sysmon Event ID 11 (File Create) — deployed to domain controllers and domain-joined servers Sysmon Event ID 1 (Process Create) or Windows Security Event ID 4688 with command-line auditing

Required Tables

winlogbeat-* (winlog.event_data.*) logs-endpoint.events.file-* logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate Group Policy administrators running GPMC (Group Policy Management Console) or using PowerShell RSAT tools during change windows — expect 5136/5137 events from authorized admin accounts during scheduled maintenance
SCCM/Intune co-management scenarios where ConfigMgr writes policy files to SYSVOL paths as part of client policy refresh or compliance baseline deployment
Automated domain hardening scripts (CIS benchmarks, DISA STIGs) that programmatically create or modify GPOs via PowerShell — Set-GPRegistryValue and Import-GPO are common in legitimate baseline deployment pipelines
GPO backup and restore operations by domain admins using native GPMC backup functionality, which writes to SYSVOL and triggers 5136/5137 events with versionNumber and gPCFileSysPath attribute changes
Security assessment tools like PingCastle, BloodHound, or Purple Knight that enumerate GPO permissions via Get-GPPermissions as read-only recon — these produce PowerShell matches without modifying GPOs

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "Username",
  sourceip AS "Source IP",
  QIDNAME(qid) AS "Event Name",
  "EventID" AS "Windows Event ID",
  CASE
    WHEN "EventID" = '5137' THEN 'GPO Object Created'
    WHEN "EventID" = '5138' THEN 'GPO Object Undeleted'
    WHEN "EventID" = '5141' THEN 'GPO Object Deleted'
    WHEN "EventID" = '5136' THEN 'GPO Attribute Modified'
    WHEN "EventID" IN ('1','4688') THEN 'GPO Tool PowerShell Execution'
    WHEN "EventID" = '11' THEN 'SYSVOL File Created or Modified'
    ELSE 'GPO Related Activity'
  END AS "GPO Operation",
  CASE
    WHEN "EventID" IN ('5136','5137','5138','5141') THEN 'AD_DirectoryAudit'
    WHEN "EventID" = '11' THEN 'SYSVOL_FileSystem'
    ELSE 'PowerShell_GPOTools'
  END AS "Detection Source",
  CASE
    WHEN LOWER(UTF8(payload)) LIKE '%grouppolicycontainer%'
      OR LOWER(UTF8(payload)) LIKE '%gpccmachineextensionnames%'
      OR LOWER(UTF8(payload)) LIKE '%ntSecurityDescriptor%'
      OR LOWER(UTF8(payload)) LIKE '%sharpgpoabuse%'
      OR LOWER(UTF8(payload)) LIKE '%new-gpoimmediacetask%'
      OR LOWER(UTF8(payload)) LIKE '%seenabledelegationprivilege%'
      OR LOWER(UTF8(payload)) LIKE '%gpttmpl.inf%'
      OR LOWER(UTF8(payload)) LIKE '%scheduledtasks.xml%'
    THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS "Risk Level"
FROM events
WHERE LOGSOURCETYPEID IN (12, 2000, 2001)
  AND (
    /* Branch 1: AD Directory Audit Events */
    (
      "EventID" IN ('5136', '5137', '5138', '5141') AND
      (
        LOWER(UTF8(payload)) LIKE '%grouppolicycontainer%' OR
        LOWER(UTF8(payload)) LIKE '%cn=policies%cn=system%'
      )
    ) OR
    /* Branch 2: SYSVOL File System Changes (Sysmon EventID 11) */
    (
      "EventID" = '11' AND
      LOWER(UTF8(payload)) LIKE '%\\sysvol\\%' AND
      (
        LOWER(UTF8(payload)) LIKE '%scheduledtasks.xml%' OR
        LOWER(UTF8(payload)) LIKE '%gpttmpl.inf%' OR
        LOWER(UTF8(payload)) LIKE '%gpt.ini%' OR
        LOWER(UTF8(payload)) LIKE '%registry.xml%' OR
        LOWER(UTF8(payload)) LIKE '%startup.xml%' OR
        LOWER(UTF8(payload)) LIKE '%groups.xml%' OR
        LOWER(UTF8(payload)) LIKE '%services.xml%'
      )
    ) OR
    /* Branch 3: PowerShell GPO Cmdlets and Attack Tools */
    (
      "EventID" IN ('1', '4688') AND
      (
        LOWER(UTF8(payload)) LIKE '%powershell.exe%' OR
        LOWER(UTF8(payload)) LIKE '%pwsh.exe%'
      ) AND
      (
        LOWER(UTF8(payload)) LIKE '%new-gpoimmediacetask%' OR
        LOWER(UTF8(payload)) LIKE '%sharpgpoabuse%' OR
        LOWER(UTF8(payload)) LIKE '%invoke-gpozaurr%' OR
        LOWER(UTF8(payload)) LIKE '%set-gppermissions%' OR
        LOWER(UTF8(payload)) LIKE '%seenabledelegationprivilege%' OR
        LOWER(UTF8(payload)) LIKE '%import-gpo%' OR
        LOWER(UTF8(payload)) LIKE '%set-gpolink%' OR
        LOWER(UTF8(payload)) LIKE '%gpttmpl.inf%' OR
        LOWER(UTF8(payload)) LIKE '%new-gplink%' OR
        LOWER(UTF8(payload)) LIKE '%invoke-gpozaurr%'
      )
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log on Domain Controllers (LOGSOURCETYPEID 12) — EventIDs 5136, 5137, 5138, 5141 require Directory Service Access audit policy Sysmon Operational Event Log (LOGSOURCETYPEID 2000 or 2001) — EventIDs 1 (Process Create) and 11 (File Create) Windows Security Event Log with 4688 process creation auditing as fallback if Sysmon is not deployed

Required Tables

events (QRadar normalized event store) LOGSOURCETYPEID 12 — Microsoft Windows Security Event Log LOGSOURCETYPEID 2000/2001 — Sysmon (variant depends on DSM version)

False Positives

Domain admins performing routine GPO management via GPMC or PowerShell RSAT tools during approved change windows — 5136 events are generated for every GPO attribute write including benign changes like description updates
Microsoft Endpoint Configuration Manager (MECM/SCCM) writing GPO-linked policy content to SYSVOL as part of co-management or compliance baseline deployment — creates SYSVOL file events with system account context
Enterprise backup agents (Veeam, Commvault) performing AD/SYSVOL backup operations will traverse and read SYSVOL, potentially triggering file access events that feed into QRadar log sources with file creation signatures
PowerShell Desired State Configuration (DSC) or Group Policy Operational Scripts that call Get-GPPermissions or Set-GPRegistryValue as part of idempotent infrastructure-as-code pipelines run by service accounts

Sumo Logic CSE

sql

(_sourceCategory="windows/security" OR _sourceCategory="windows/sysmon")
// Extract common fields from raw event text
| parse regex "(?s)EventID[=:\s]+(?P<EventID>\d+)" nodrop
| parse regex "(?i)Object DN[:\s]+(?P<ObjectDN>[^\r\n]+)" nodrop
| parse regex "(?i)Object Class[:\s]+(?P<ObjectClass>[^\r\n]+)" nodrop
| parse regex "(?i)LDAP Display Name[:\s]+(?P<LDAPAttribute>[^\r\n]+)" nodrop
| parse regex "(?i)Account Name[:\s]+(?P<SubjectUser>[^\r\n]+)" nodrop
| parse regex "(?i)TargetFilename[:\s]+(?P<TargetFilename>[^\r\n]+)" nodrop
| parse regex "(?i)CommandLine[:\s]+(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?i)Image[:\s]+(?P<Image>[^\r\n]+)" nodrop
// Filter to GPO-relevant events across all three detection branches
| where
    // Branch 1: AD Directory Audit — GPO object create/modify/delete
    (EventID in ("5136","5137","5138","5141")
     AND (ObjectClass matches "(?i).*groupPolicyContainer.*"
          OR ObjectDN matches "(?i).*CN=Policies.*CN=System.*"))
    // Branch 2: SYSVOL filesystem modification (Sysmon Event 11)
    OR (EventID = "11"
        AND TargetFilename matches "(?i).*\\\\sysvol\\\\.*"
        AND TargetFilename matches "(?i).*(ScheduledTasks\.xml|GptTmpl\.inf|GPT\.INI|Registry\.xml|Startup\.xml|Shutdown\.xml|Groups\.xml|Services\.xml).*")
    // Branch 3: PowerShell GPO cmdlets and known attack tools
    OR (EventID in ("1","4688")
        AND (Image matches "(?i).*(powershell|pwsh)\.exe")
        AND CommandLine matches "(?i).*(New-GPOImmediateTask|SharpGPOAbuse|Invoke-GPOZaurr|Set-GPPermissions|SeEnableDelegationPrivilege|Import-GPO|Set-GPOLink|GptTmpl\.inf|New-GPLink|Set-GPRegistryValue).*")
// Classify detection source
| if (EventID in ("5136","5137","5138","5141"), "AD_DirectoryAudit",
    if (EventID = "11", "SYSVOL_FileSystem", "PowerShell_GPOTools")) as DetectionSource
// Compute GPO operation label
| if (EventID = "5137", "GPO Created",
    if (EventID = "5138", "GPO Undeleted",
    if (EventID = "5141", "GPO Deleted",
    if (EventID = "5136", "GPO Attribute Modified",
    if (EventID = "11", "SYSVOL File Created/Modified",
    "GPO Tool Execution"))))) as GPOOperation
// High-risk flag: dangerous LDAP attributes, attack tools, or critical GPO files
| if (
    LDAPAttribute matches "(?i).*(gPCMachineExtensionNames|gPCUserExtensionNames|nTSecurityDescriptor|gPCFileSysPath|versionNumber).*"
    OR CommandLine matches "(?i).*(SharpGPOAbuse|Invoke-GPOZaurr|New-GPOImmediateTask|SeEnableDelegationPrivilege).*"
    OR TargetFilename matches "(?i).*(ScheduledTasks\.xml|GptTmpl\.inf).*"
  , 1, 0) as IsHighRisk
| if (ObjectDN matches "(?i).*(Default Domain Policy|Default Domain Controllers Policy).*", 1, 0) as IsDefaultGPO
| toInt(IsHighRisk) * 75 + toInt(IsDefaultGPO) * 25 as RiskScore
| where RiskScore > 0
| fields _messageTime, DetectionSource, _sourceHost, SubjectUser, EventID, GPOOperation, ObjectDN, LDAPAttribute, CommandLine, TargetFilename, IsHighRisk, IsDefaultGPO, RiskScore
| sort by _messageTime desc

high severity high confidence

Data Sources

_sourceCategory=windows/security — Windows Security Event Log from domain controllers with Directory Service Access auditing enabled _sourceCategory=windows/sysmon — Sysmon Operational log with Event ID 1 (Process Create) and Event ID 11 (File Create) rules configured Sysmon config must include FileCreate rules targeting SYSVOL paths and ProcessCreate rules for powershell.exe/pwsh.exe with command-line capture

Required Tables

_sourceCategory=windows/security _sourceCategory=windows/sysmon Windows Security EventIDs: 5136, 5137, 5138, 5141, 4688 Sysmon EventIDs: 1, 11

False Positives

Active Directory Group Policy administrators using GPMC or RSAT PowerShell tools during approved change windows — 5136 events fire on every attribute write including benign changes; filter by SubjectUser against a known GPO admin whitelist
SYSVOL DFS-R replication between domain controllers generates SYSVOL file creation/modification events as policy changes propagate across the domain — these will appear on all DCs, not just the one where the change originated
Microsoft Defender for Identity (MDI) or similar AD monitoring agents that actively read GPO objects and SYSVOL content as part of baseline collection may generate file read events that surface as file creation in some logging configurations
Change management tooling (ServiceNow orchestration, Puppet, Chef) that applies Group Policy changes via PowerShell automation accounts on a schedule — these produce legitimate GPO cmdlet executions that match the PowerShell branch

Google Chronicle / SecOps

yaral

rule t1484_001_group_policy_modification {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1484.001 Group Policy Modification via AD Directory Service audit events, SYSVOL policy file creation, or PowerShell GPO management cmdlet and attack tool execution. Covers LockBit/Qilin GPO-based ransomware propagation, Evil Corp lateral movement, and SharpGPOAbuse/Empire New-GPOImmediateTask tooling."
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1484.001"
    mitre_attack_technique_name = "Group Policy Modification"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "Legitimate GPO administration via GPMC, SCCM baseline deployment, AD backup operations"
    created = "2026-04-19"
    version = "1.0"

  events:
    (
      /* Branch 1: AD Directory Service Access Audit — GPO object lifecycle */
      $e.metadata.vendor_name = "Microsoft" and
      $e.metadata.product_event_type in ("5136", "5137", "5138", "5141") and
      (
        re.regex($e.target.resource.name, `(?i)CN=Policies.*CN=System`) or
        $e.target.resource.resource_type = "DOMAIN" and
        re.regex($e.target.resource.attribute.labels["ObjectClass"], `(?i)groupPolicyContainer`)
      )
    ) or
    (
      /* Branch 2: SYSVOL policy file creation targeting critical GPO content */
      $e.metadata.event_type = "FILE_CREATION" and
      re.regex($e.target.file.full_path, `(?i)\\sysvol\\`) and
      re.regex($e.target.file.full_path,
        `(?i)(ScheduledTasks\.xml|GptTmpl\.inf|GPT\.INI|Registry\.xml|Startup\.xml|Shutdown\.xml|Groups\.xml|Services\.xml|Files\.xml)`
      )
    ) or
    (
      /* Branch 3: PowerShell GPO cmdlets and known attack tools */
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.file.full_path, `(?i)(powershell|pwsh)\.exe`) and
      re.regex($e.target.process.command_line,
        `(?i)(New-GPOImmediateTask|New-GPPImmediateTask|SharpGPOAbuse|Invoke-GPOZaurr|Set-GPPermissions|Set-GPOLink|Import-GPO|SeEnableDelegationPrivilege|GptTmpl\.inf|Get-GPPermissions|New-GPLink|Set-GPRegistryValue)`
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Event Log ingestion via Chronicle forwarder or Google SecOps SIEM agent — domain controllers with Directory Service Access auditing (EventIDs 5136/5137/5138/5141) Sysmon telemetry forwarded to Chronicle — EventID 11 (File Create) for SYSVOL file creation mapped to FILE_CREATION UDM, EventID 1 (Process Create) for PowerShell mapped to PROCESS_LAUNCH UDM Microsoft Defender for Endpoint telemetry via Chronicle integration — DeviceProcessEvents and DeviceFileEvents normalized to UDM

Required Tables

UDM events — metadata.event_type: FILE_CREATION, PROCESS_LAUNCH UDM events — metadata.product_event_type: 5136, 5137, 5138, 5141 principal.process.file.full_path (PROCESS_LAUNCH events) target.process.command_line (PROCESS_LAUNCH events) target.file.full_path (FILE_CREATION events) target.resource.name (Directory Service events)

False Positives

Group Policy administrators running scheduled GPO compliance audits or applying domain security baselines during change windows — the AD Directory branch fires on every GPO attribute modification including benign description or version updates
Microsoft Endpoint Configuration Manager (MECM) and Intune co-management scenarios where system accounts write policy templates to SYSVOL during client health evaluation or baseline enforcement cycles
Domain controller SYSVOL DFS-R replication traffic creates FILE_CREATION UDM events on replica DCs as they receive GPO content pushed from the PDC emulator — these are legitimate propagation events and will appear on all DCs simultaneously

CrowdStrike LogScale (CQL)

cql

// T1484.001 — Group Policy Modification
// Branch 1: PowerShell executing GPO management cmdlets or known attack tools
#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)(powershell\.exe|pwsh\.exe)/
| CommandLine=/(?i)(New-GPOImmediateTask|New-GPPImmediateTask|New-GPO\s|Set-GPOLink|Import-GPO|Set-GPPermissions|SharpGPOAbuse|Invoke-GPOZaurr|SeEnableDelegationPrivilege|GptTmpl\.inf|Get-GPPermissions|New-GPLink|Set-GPRegistryValue)/
| IsAttackTool := if(CommandLine=/(?i)(SharpGPOAbuse|Invoke-GPOZaurr|New-GPOImmediateTask|SeEnableDelegationPrivilege)/, "true", "false")
| DetectionSource := "PowerShell_GPOTools"

| union {
  // Branch 2: SYSVOL file write events — GPO policy content modification
  #event_simpleName=FileWritten
  | TargetFileName=/(?i)\\sysvol\\/
  | TargetFileName=/(?i)(ScheduledTasks\.xml|GptTmpl\.inf|GPT\.INI|Registry\.xml|Startup\.xml|Shutdown\.xml|Groups\.xml|Services\.xml|Files\.xml)/
  | IsHighRisk := if(TargetFileName=/(?i)(ScheduledTasks\.xml|GptTmpl\.inf)/, "true", "false")
  | DetectionSource := "SYSVOL_FileSystem"
  | IsAttackTool := "false"
}

| union {
  // Branch 3: PowerShell script block telemetry — catches obfuscated/encoded GPO operations
  #event_simpleName=ScriptControlScanTelemetry
  | ScriptContent=/(?i)(New-GPOImmediateTask|SharpGPOAbuse|Invoke-GPOZaurr|Set-GPPermissions|SeEnableDelegationPrivilege|GptTmpl\.inf|New-GPO\s|Set-GPOLink|Import-GPO)/
  | IsAttackTool := if(ScriptContent=/(?i)(SharpGPOAbuse|Invoke-GPOZaurr|New-GPOImmediateTask|SeEnableDelegationPrivilege)/, "true", "false")
  | DetectionSource := "PSScriptBlock_GPOTools"
  | IsHighRisk := IsAttackTool
}

| table([#event_simpleName, @timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, ScriptContent, IsAttackTool, IsHighRisk, DetectionSource])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

Falcon sensor ProcessRollup2 — process creation telemetry with command-line capture (requires full command-line collection enabled in sensor policy) Falcon sensor FileWritten — file write telemetry on domain controller assets (requires Enhanced File Monitoring or Comprehensive mode in sensor policy) Falcon sensor ScriptControlScanTelemetry — PowerShell script block logging collected by Falcon's Script Control feature (requires Script-Based Execution Monitoring in prevention policy)

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=FileWritten #event_simpleName=ScriptControlScanTelemetry Falcon sensor deployed on domain controllers with FileWritten and ScriptControl telemetry enabled

False Positives

Authorized domain administrators running GPO management scripts via PowerShell RSAT — ProcessRollup2 and ScriptControlScanTelemetry events will fire on legitimate New-GPO, Set-GPOLink, and Set-GPRegistryValue cmdlet invocations; correlate UserName against a domain admin allowlist and verify activity aligns with a change ticket
SYSVOL DFS-R replication on domain controllers generates FileWritten events as GPO policy files propagate from the PDC emulator to replica DCs — these events appear on non-PDC domain controllers with the DFS Replication service account as the writing process; filter on UserName for SYSTEM or DFS-R service accounts during expected replication windows
Automated compliance and hardening tooling (PowerShell DSC, Puppet, Chef, Ansible) running as service accounts that use Set-GPRegistryValue or Import-GPO for idempotent policy enforcement — these produce recurring ProcessRollup2 matches on a schedule; baseline these service account + cmdlet combinations and suppress recurrences with allowlist rules in Falcon Fusion

Last updated: 2026-04-19 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1484.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Group Policy Modification

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections