Detect Group Policy Modification in Google Chronicle
Adversaries may modify Group Policy Objects (GPOs) to subvert intended access controls across a Windows domain, typically to escalate privileges, disable security tools, or enable mass payload distribution. GPOs stored in SYSVOL control centralized user and computer settings across Active Directory environments. Malicious GPO modifications can deploy scheduled tasks, create accounts, grant dangerous privileges like SeEnableDelegationPrivilege, or push ransomware to every domain-joined machine simultaneously. LockBit 2.0/3.0 and Qilin ransomware modified GPOs to disable Windows Defender and propagate malware domain-wide. APT41 used GPO-deployed scheduled tasks for coordinated ransomware deployment. Indrik Spider (Evil Corp), Cinnamon Tempest, and Storm-0501 have all leveraged GPO modification for lateral movement and payload execution at scale. The Empire framework's New-GPOImmediateTask cmdlet and SharpGPOAbuse tool provide ready-made capabilities for GPO abuse by threat actors with sufficient AD permissions.
MITRE ATT&CK
- Sub-technique
- T1484.001 Group Policy Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1484/001/
YARA-L Detection Query
rule t1484_001_group_policy_modification {
meta:
author = "Argus Detection Engineering"
description = "Detects T1484.001 Group Policy Modification via AD Directory Service audit events, SYSVOL policy file creation, or PowerShell GPO management cmdlet and attack tool execution. Covers LockBit/Qilin GPO-based ransomware propagation, Evil Corp lateral movement, and SharpGPOAbuse/Empire New-GPOImmediateTask tooling."
mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
mitre_attack_technique = "T1484.001"
mitre_attack_technique_name = "Group Policy Modification"
severity = "HIGH"
priority = "HIGH"
false_positives = "Legitimate GPO administration via GPMC, SCCM baseline deployment, AD backup operations"
created = "2026-04-19"
version = "1.0"
events:
(
/* Branch 1: AD Directory Service Access Audit — GPO object lifecycle */
$e.metadata.vendor_name = "Microsoft" and
$e.metadata.product_event_type in ("5136", "5137", "5138", "5141") and
(
re.regex($e.target.resource.name, `(?i)CN=Policies.*CN=System`) or
$e.target.resource.resource_type = "DOMAIN" and
re.regex($e.target.resource.attribute.labels["ObjectClass"], `(?i)groupPolicyContainer`)
)
) or
(
/* Branch 2: SYSVOL policy file creation targeting critical GPO content */
$e.metadata.event_type = "FILE_CREATION" and
re.regex($e.target.file.full_path, `(?i)\\sysvol\\`) and
re.regex($e.target.file.full_path,
`(?i)(ScheduledTasks\.xml|GptTmpl\.inf|GPT\.INI|Registry\.xml|Startup\.xml|Shutdown\.xml|Groups\.xml|Services\.xml|Files\.xml)`
)
) or
(
/* Branch 3: PowerShell GPO cmdlets and known attack tools */
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.principal.process.file.full_path, `(?i)(powershell|pwsh)\.exe`) and
re.regex($e.target.process.command_line,
`(?i)(New-GPOImmediateTask|New-GPPImmediateTask|SharpGPOAbuse|Invoke-GPOZaurr|Set-GPPermissions|Set-GPOLink|Import-GPO|SeEnableDelegationPrivilege|GptTmpl\.inf|Get-GPPermissions|New-GPLink|Set-GPRegistryValue)`
)
)
condition:
$e
}Chronicle YARA-L 2.0 detection rule for T1484.001 Group Policy Modification. Covers three branches via UDM event matching: (1) AD Directory Service audit events (product_event_type 5136/5137/5138/5141) for GPO container object changes including dangerous LDAP attribute writes, (2) FILE_CREATION UDM events targeting SYSVOL paths with critical GPO policy file names (ScheduledTasks.xml, GptTmpl.inf), and (3) PROCESS_LAUNCH UDM events for PowerShell executing GPO management cmdlets or known attack tools. Detects threat actor TTPs used by LockBit 2.0/3.0, Qilin, APT41, and Indrik Spider.
Data Sources
Required Tables
False Positives & Tuning
- Group Policy administrators running scheduled GPO compliance audits or applying domain security baselines during change windows — the AD Directory branch fires on every GPO attribute modification including benign description or version updates
- Microsoft Endpoint Configuration Manager (MECM) and Intune co-management scenarios where system accounts write policy templates to SYSVOL during client health evaluation or baseline enforcement cycles
- Domain controller SYSVOL DFS-R replication traffic creates FILE_CREATION UDM events on replica DCs as they receive GPO content pushed from the PDC emulator — these are legitimate propagation events and will appear on all DCs simultaneously
Other platforms for T1484.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Scheduled Task via GPO (New-GPOImmediateTask)
Expected signal: Security Event ID 5137 on Domain Controller: GPO container object created (ObjectClass=groupPolicyContainer). Security Event ID 5136 on DC: gPCMachineExtensionNames attribute added (indicating new machine policy CSE). Sysmon Event ID 11: File Create for ScheduledTasks.xml in SYSVOL path from PowerShell process. Security Event ID 5136: versionNumber attribute incremented on GPO object. PowerShell ScriptBlock Log (Event ID 4104) capturing New-GPO, New-GPLink, and file write operations.
- Test 2Modify GptTmpl.inf to Grant SeEnableDelegationPrivilege
Expected signal: Sysmon Event ID 11: File Create for GptTmpl.inf in SYSVOL path (\\DOMAIN\SYSVOL\DOMAIN\Policies\{GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf). Security Event ID 5136 on DC: gPCMachineExtensionNames updated to include security extension GUID {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Security). versionNumber increment. PowerShell ScriptBlock Log Event ID 4104 capturing the file write and SYSVOL path construction.
- Test 3Enumerate GPO Permissions with PowerView (Recon Phase)
Expected signal: PowerShell ScriptBlock Log Event ID 4104: Get-GPPermissions cmdlet execution with -All parameter iterating across all GPOs. Sysmon Event ID 1: powershell.exe process creation with Get-GPPermissions and Get-GPO in command line. Active Directory query events may appear in Domain Controller logs for LDAP searches against CN=Policies.
- Test 4Deploy Ransomware Simulation via GPO Startup Script
Expected signal: Sysmon Event ID 11: File Create events for startup.bat and scripts.ini in SYSVOL path from powershell.exe. Security Event ID 5136 on DC: gPCMachineExtensionNames updated to include scripts CSE GUID {42B5FAAE-6536-11D2-AE5A-0000F87571E3}. versionNumber attribute incremented. PowerShell ScriptBlock Log Event ID 4104 with SYSVOL path construction and file write commands.
References (9)
- https://attack.mitre.org/techniques/T1484/001/
- https://wald0.com/?p=179
- https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
- https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
- https://adsecurity.org/?p=2716
- https://github.com/FSecureLABS/SharpGPOAbuse
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md
Unlock Pro Content
Get the full detection package for T1484.001 including response playbook, investigation guide, and atomic red team tests.