T1484.001 IBM QRadar · QRadar

Detect Group Policy Modification in IBM QRadar

Adversaries may modify Group Policy Objects (GPOs) to subvert intended access controls across a Windows domain, typically to escalate privileges, disable security tools, or enable mass payload distribution. GPOs stored in SYSVOL control centralized user and computer settings across Active Directory environments. Malicious GPO modifications can deploy scheduled tasks, create accounts, grant dangerous privileges like SeEnableDelegationPrivilege, or push ransomware to every domain-joined machine simultaneously. LockBit 2.0/3.0 and Qilin ransomware modified GPOs to disable Windows Defender and propagate malware domain-wide. APT41 used GPO-deployed scheduled tasks for coordinated ransomware deployment. Indrik Spider (Evil Corp), Cinnamon Tempest, and Storm-0501 have all leveraged GPO modification for lateral movement and payload execution at scale. The Empire framework's New-GPOImmediateTask cmdlet and SharpGPOAbuse tool provide ready-made capabilities for GPO abuse by threat actors with sufficient AD permissions.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1484 Domain or Tenant Policy Modification
Sub-technique
T1484.001 Group Policy Modification
Canonical reference
https://attack.mitre.org/techniques/T1484/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "Username",
  sourceip AS "Source IP",
  QIDNAME(qid) AS "Event Name",
  "EventID" AS "Windows Event ID",
  CASE
    WHEN "EventID" = '5137' THEN 'GPO Object Created'
    WHEN "EventID" = '5138' THEN 'GPO Object Undeleted'
    WHEN "EventID" = '5141' THEN 'GPO Object Deleted'
    WHEN "EventID" = '5136' THEN 'GPO Attribute Modified'
    WHEN "EventID" IN ('1','4688') THEN 'GPO Tool PowerShell Execution'
    WHEN "EventID" = '11' THEN 'SYSVOL File Created or Modified'
    ELSE 'GPO Related Activity'
  END AS "GPO Operation",
  CASE
    WHEN "EventID" IN ('5136','5137','5138','5141') THEN 'AD_DirectoryAudit'
    WHEN "EventID" = '11' THEN 'SYSVOL_FileSystem'
    ELSE 'PowerShell_GPOTools'
  END AS "Detection Source",
  CASE
    WHEN LOWER(UTF8(payload)) LIKE '%grouppolicycontainer%'
      OR LOWER(UTF8(payload)) LIKE '%gpccmachineextensionnames%'
      OR LOWER(UTF8(payload)) LIKE '%ntSecurityDescriptor%'
      OR LOWER(UTF8(payload)) LIKE '%sharpgpoabuse%'
      OR LOWER(UTF8(payload)) LIKE '%new-gpoimmediacetask%'
      OR LOWER(UTF8(payload)) LIKE '%seenabledelegationprivilege%'
      OR LOWER(UTF8(payload)) LIKE '%gpttmpl.inf%'
      OR LOWER(UTF8(payload)) LIKE '%scheduledtasks.xml%'
    THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS "Risk Level"
FROM events
WHERE LOGSOURCETYPEID IN (12, 2000, 2001)
  AND (
    /* Branch 1: AD Directory Audit Events */
    (
      "EventID" IN ('5136', '5137', '5138', '5141') AND
      (
        LOWER(UTF8(payload)) LIKE '%grouppolicycontainer%' OR
        LOWER(UTF8(payload)) LIKE '%cn=policies%cn=system%'
      )
    ) OR
    /* Branch 2: SYSVOL File System Changes (Sysmon EventID 11) */
    (
      "EventID" = '11' AND
      LOWER(UTF8(payload)) LIKE '%\\sysvol\\%' AND
      (
        LOWER(UTF8(payload)) LIKE '%scheduledtasks.xml%' OR
        LOWER(UTF8(payload)) LIKE '%gpttmpl.inf%' OR
        LOWER(UTF8(payload)) LIKE '%gpt.ini%' OR
        LOWER(UTF8(payload)) LIKE '%registry.xml%' OR
        LOWER(UTF8(payload)) LIKE '%startup.xml%' OR
        LOWER(UTF8(payload)) LIKE '%groups.xml%' OR
        LOWER(UTF8(payload)) LIKE '%services.xml%'
      )
    ) OR
    /* Branch 3: PowerShell GPO Cmdlets and Attack Tools */
    (
      "EventID" IN ('1', '4688') AND
      (
        LOWER(UTF8(payload)) LIKE '%powershell.exe%' OR
        LOWER(UTF8(payload)) LIKE '%pwsh.exe%'
      ) AND
      (
        LOWER(UTF8(payload)) LIKE '%new-gpoimmediacetask%' OR
        LOWER(UTF8(payload)) LIKE '%sharpgpoabuse%' OR
        LOWER(UTF8(payload)) LIKE '%invoke-gpozaurr%' OR
        LOWER(UTF8(payload)) LIKE '%set-gppermissions%' OR
        LOWER(UTF8(payload)) LIKE '%seenabledelegationprivilege%' OR
        LOWER(UTF8(payload)) LIKE '%import-gpo%' OR
        LOWER(UTF8(payload)) LIKE '%set-gpolink%' OR
        LOWER(UTF8(payload)) LIKE '%gpttmpl.inf%' OR
        LOWER(UTF8(payload)) LIKE '%new-gplink%' OR
        LOWER(UTF8(payload)) LIKE '%invoke-gpozaurr%'
      )
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS
high severity medium confidence

QRadar AQL rule detecting T1484.001 Group Policy Modification across three detection branches using raw payload inspection: (1) Windows Security event IDs 5136/5137/5138/5141 for AD-level GPO object create/modify/delete operations, (2) Sysmon Event 11 SYSVOL file creation targeting critical GPO policy files, and (3) PowerShell process execution events containing GPO management cmdlets and known attack tool signatures. Uses LOGSOURCETYPEID 12 (Windows Security), 2000/2001 (Sysmon variants) with UTF8 payload inspection for field extraction where custom properties are not configured.

Data Sources

Windows Security Event Log on Domain Controllers (LOGSOURCETYPEID 12) — EventIDs 5136, 5137, 5138, 5141 require Directory Service Access audit policySysmon Operational Event Log (LOGSOURCETYPEID 2000 or 2001) — EventIDs 1 (Process Create) and 11 (File Create)Windows Security Event Log with 4688 process creation auditing as fallback if Sysmon is not deployed

Required Tables

events (QRadar normalized event store)LOGSOURCETYPEID 12 — Microsoft Windows Security Event LogLOGSOURCETYPEID 2000/2001 — Sysmon (variant depends on DSM version)

False Positives & Tuning

  • Domain admins performing routine GPO management via GPMC or PowerShell RSAT tools during approved change windows — 5136 events are generated for every GPO attribute write including benign changes like description updates
  • Microsoft Endpoint Configuration Manager (MECM/SCCM) writing GPO-linked policy content to SYSVOL as part of co-management or compliance baseline deployment — creates SYSVOL file events with system account context
  • Enterprise backup agents (Veeam, Commvault) performing AD/SYSVOL backup operations will traverse and read SYSVOL, potentially triggering file access events that feed into QRadar log sources with file creation signatures
  • PowerShell Desired State Configuration (DSC) or Group Policy Operational Scripts that call Get-GPPermissions or Set-GPRegistryValue as part of idempotent infrastructure-as-code pipelines run by service accounts
Download portable Sigma rule (.yml)

Other platforms for T1484.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Scheduled Task via GPO (New-GPOImmediateTask)

    Expected signal: Security Event ID 5137 on Domain Controller: GPO container object created (ObjectClass=groupPolicyContainer). Security Event ID 5136 on DC: gPCMachineExtensionNames attribute added (indicating new machine policy CSE). Sysmon Event ID 11: File Create for ScheduledTasks.xml in SYSVOL path from PowerShell process. Security Event ID 5136: versionNumber attribute incremented on GPO object. PowerShell ScriptBlock Log (Event ID 4104) capturing New-GPO, New-GPLink, and file write operations.

  2. Test 2Modify GptTmpl.inf to Grant SeEnableDelegationPrivilege

    Expected signal: Sysmon Event ID 11: File Create for GptTmpl.inf in SYSVOL path (\\DOMAIN\SYSVOL\DOMAIN\Policies\{GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf). Security Event ID 5136 on DC: gPCMachineExtensionNames updated to include security extension GUID {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Security). versionNumber increment. PowerShell ScriptBlock Log Event ID 4104 capturing the file write and SYSVOL path construction.

  3. Test 3Enumerate GPO Permissions with PowerView (Recon Phase)

    Expected signal: PowerShell ScriptBlock Log Event ID 4104: Get-GPPermissions cmdlet execution with -All parameter iterating across all GPOs. Sysmon Event ID 1: powershell.exe process creation with Get-GPPermissions and Get-GPO in command line. Active Directory query events may appear in Domain Controller logs for LDAP searches against CN=Policies.

  4. Test 4Deploy Ransomware Simulation via GPO Startup Script

    Expected signal: Sysmon Event ID 11: File Create events for startup.bat and scripts.ini in SYSVOL path from powershell.exe. Security Event ID 5136 on DC: gPCMachineExtensionNames updated to include scripts CSE GUID {42B5FAAE-6536-11D2-AE5A-0000F87571E3}. versionNumber attribute incremented. PowerShell ScriptBlock Log Event ID 4104 with SYSVOL path construction and file write commands.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1484.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1484Domain or Tenant Policy Modification

Related Sub-techniques

T1484.002Trust Modification

Related Techniques

T1484Domain or Tenant Policy ModificationT1053.005Scheduled TaskT1562.001Disable or Modify ToolsT1136.002Domain AccountT1098Account ManipulationT1569.002Service ExecutionT1105Ingress Tool TransferT1078.002Domain AccountsT1558Steal or Forge Kerberos TicketsT1003.003NTDS

Same Tactic: Defense Evasion

Popular Detections