T1484.001 Microsoft Sentinel · KQL

Detect Group Policy Modification in Microsoft Sentinel

Adversaries may modify Group Policy Objects (GPOs) to subvert intended access controls across a Windows domain, typically to escalate privileges, disable security tools, or enable mass payload distribution. GPOs stored in SYSVOL control centralized user and computer settings across Active Directory environments. Malicious GPO modifications can deploy scheduled tasks, create accounts, grant dangerous privileges like SeEnableDelegationPrivilege, or push ransomware to every domain-joined machine simultaneously. LockBit 2.0/3.0 and Qilin ransomware modified GPOs to disable Windows Defender and propagate malware domain-wide. APT41 used GPO-deployed scheduled tasks for coordinated ransomware deployment. Indrik Spider (Evil Corp), Cinnamon Tempest, and Storm-0501 have all leveraged GPO modification for lateral movement and payload execution at scale. The Empire framework's New-GPOImmediateTask cmdlet and SharpGPOAbuse tool provide ready-made capabilities for GPO abuse by threat actors with sufficient AD permissions.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1484 Domain or Tenant Policy Modification
Sub-technique
T1484.001 Group Policy Modification
Canonical reference
https://attack.mitre.org/techniques/T1484/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1484.001 — Group Policy Modification Detection
// Requires: Directory Service Access auditing on Domain Controllers (enables Event IDs 5136/5137/5141)
// Branch 1: Active Directory audit events for GPO object creation and modification
let GPOAuditEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (5136, 5137, 5138, 5141)
| where ObjectClass =~ "groupPolicyContainer"
       or (ObjectDN has "CN=Policies" and ObjectDN has "CN=System")
| extend GPOOperation = case(
    EventID == 5136 and OperationType has "14674", "GPO Attribute Added",
    EventID == 5136 and OperationType has "14675", "GPO Attribute Deleted",
    EventID == 5137, "GPO Object Created",
    EventID == 5138, "GPO Object Undeleted",
    EventID == 5141, "GPO Object Deleted",
    "GPO Object Modified"
)
| extend IsHighRiskAttribute = AttributeLDAPDisplayName in~ (
    "gPCMachineExtensionNames",  // New machine-side policy components (scheduled tasks, scripts)
    "gPCUserExtensionNames",      // New user-side policy components
    "nTSecurityDescriptor",        // GPO ACL change — common for privilege escalation backdoor
    "gPCFileSysPath",              // Points to a different SYSVOL path — redirection attack
    "versionNumber"                // Version increment confirms GPO was actively pushed
)
| extend IsDefaultGPO = ObjectDN has "Default Domain Policy"
              or ObjectDN has "Default Domain Controllers Policy"
| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName,
          GPOOperation, ObjectDN, AttributeLDAPDisplayName, AttributeValue,
          IsHighRiskAttribute, IsDefaultGPO, SubjectLogonId, EventID;
// Branch 2: SYSVOL filesystem changes — where actual GPO policy content lives
// Key files: ScheduledTasks.xml (task injection), GptTmpl.inf (privilege rights, security settings)
//            GPT.INI (version tracking), Registry.xml (registry-based policy)
let SysvolFileChanges = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has @"\SYSVOL\" or FolderPath has @"\sysvol\"
| where FileName in~ ("ScheduledTasks.xml", "GptTmpl.inf", "GPT.INI",
                      "Startup.xml", "Shutdown.xml", "Registry.xml",
                      "Services.xml", "Groups.xml", "Files.xml")
      or FolderPath matches regex @"(?i)\\Policies\\\{[0-9A-Fa-f\-]{36}\}\\"
| extend IsCriticalFile = FileName in~ ("ScheduledTasks.xml", "GptTmpl.inf")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath,
          ActionType, IsCriticalFile,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 3: PowerShell execution of GPO management cmdlets and known attack tools
let GPOToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "New-GPOImmediateTask",     // Empire / PowerView scheduled task injection via GPO
    "New-GPO",                  // Create new GPO
    "Set-GPOLink",              // Link GPO to OU
    "Import-GPO",               // Import GPO settings from backup
    "Set-GPPermissions",        // Modify GPO ACL
    "New-GPLink",               // Alternative GPO link cmdlet
    "Set-GPRegistryValue",      // Set registry policy
    "SharpGPOAbuse",            // Dedicated GPO abuse tool
    "Invoke-GPOZaurr",          // GPO audit/abuse framework
    "Get-GPPermissions",        // GPO permission enumeration (recon)
    "SeEnableDelegationPrivilege", // Dangerous privilege modification via GPO
    "GptTmpl.inf",              // Direct template file reference
    "New-GPPImmediateTask"      // Alternative cmdlet variant
)
| extend IsAttackTool = ProcessCommandLine has_any ("SharpGPOAbuse", "Invoke-GPOZaurr", "New-GPOImmediateTask")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, IsAttackTool;
// Surface all results with unified schema
GPOAuditEvents
| project TimeGenerated, Source="AD_DirectoryAudit", Host=Computer,
          User=strcat(SubjectDomainName, "\\", SubjectUserName),
          Action=GPOOperation, Detail=ObjectDN,
          Attribute=AttributeLDAPDisplayName,
          HighRisk=IsHighRiskAttribute,
          CriticalTarget=IsDefaultGPO,
          CommandContext=""
| union (
    SysvolFileChanges
    | project TimeGenerated=Timestamp, Source="SYSVOL_FileSystem", Host=DeviceName,
              User=InitiatingProcessAccountName,
              Action=strcat("SYSVOL ", ActionType),
              Detail=strcat(FolderPath, "\\", FileName),
              Attribute=FileName,
              HighRisk=IsCriticalFile,
              CriticalTarget=false,
              CommandContext=InitiatingProcessCommandLine
)
| union (
    GPOToolExecution
    | project TimeGenerated=Timestamp, Source="PowerShell_GPOTools", Host=DeviceName,
              User=AccountName,
              Action="GPO Tool Execution",
              Detail=ProcessCommandLine,
              Attribute="PowerShell",
              HighRisk=true,
              CriticalTarget=IsAttackTool,
              CommandContext=ProcessCommandLine
)
| sort by TimeGenerated desc
high severity high confidence

Multi-branch detection covering three GPO modification vectors: (1) Active Directory directory service audit events (Security Event IDs 5136/5137/5141) on Domain Controllers for direct GPO object changes — requires DS Access auditing enabled via Advanced Audit Policy Configuration; (2) SYSVOL filesystem monitoring via DeviceFileEvents for modifications to policy content files including ScheduledTasks.xml (scheduled task injection), GptTmpl.inf (security template and privilege rights), and GPT.INI (version tracking); (3) PowerShell process events detecting known GPO management cmdlets and red team tools such as New-GPOImmediateTask and SharpGPOAbuse. High-risk flags identify changes to security-sensitive AD attributes and modifications to Default Domain Policy or Default Domain Controllers Policy. Results are unified into a single schema for analyst review.

Data Sources

DS: Active Directory Object ModificationFile: File ModificationProcess: Process CreationMicrosoft Defender for EndpointWindows Security Audit Logs (Event IDs 5136, 5137, 5141)

Required Tables

SecurityEventDeviceFileEventsDeviceProcessEvents

False Positives & Tuning

  • Legitimate IT administrators using Group Policy Management Console (GPMC) or PowerShell RSAT modules during approved change management windows — generates 5136 events for every modified attribute
  • Microsoft Endpoint Configuration Manager (MECM/SCCM) or Microsoft Intune modifying GPOs for software deployment, compliance baselines, or device enrollment — look for SYSTEM or service account context
  • Automated patch management and security hardening tools (CIS-CAT, Tenable, Rapid7) that adjust GPO settings as part of compliance scanning or remediation
  • GPO backup and restore operations by domain administrators generating large volumes of 5136 events across all policy objects simultaneously
  • Domain join provisioning processes and Autopilot/MDM enrollment that create or link GPOs as part of device onboarding workflows
Download portable Sigma rule (.yml)

Other platforms for T1484.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Scheduled Task via GPO (New-GPOImmediateTask)

    Expected signal: Security Event ID 5137 on Domain Controller: GPO container object created (ObjectClass=groupPolicyContainer). Security Event ID 5136 on DC: gPCMachineExtensionNames attribute added (indicating new machine policy CSE). Sysmon Event ID 11: File Create for ScheduledTasks.xml in SYSVOL path from PowerShell process. Security Event ID 5136: versionNumber attribute incremented on GPO object. PowerShell ScriptBlock Log (Event ID 4104) capturing New-GPO, New-GPLink, and file write operations.

  2. Test 2Modify GptTmpl.inf to Grant SeEnableDelegationPrivilege

    Expected signal: Sysmon Event ID 11: File Create for GptTmpl.inf in SYSVOL path (\\DOMAIN\SYSVOL\DOMAIN\Policies\{GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf). Security Event ID 5136 on DC: gPCMachineExtensionNames updated to include security extension GUID {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Security). versionNumber increment. PowerShell ScriptBlock Log Event ID 4104 capturing the file write and SYSVOL path construction.

  3. Test 3Enumerate GPO Permissions with PowerView (Recon Phase)

    Expected signal: PowerShell ScriptBlock Log Event ID 4104: Get-GPPermissions cmdlet execution with -All parameter iterating across all GPOs. Sysmon Event ID 1: powershell.exe process creation with Get-GPPermissions and Get-GPO in command line. Active Directory query events may appear in Domain Controller logs for LDAP searches against CN=Policies.

  4. Test 4Deploy Ransomware Simulation via GPO Startup Script

    Expected signal: Sysmon Event ID 11: File Create events for startup.bat and scripts.ini in SYSVOL path from powershell.exe. Security Event ID 5136 on DC: gPCMachineExtensionNames updated to include scripts CSE GUID {42B5FAAE-6536-11D2-AE5A-0000F87571E3}. versionNumber attribute incremented. PowerShell ScriptBlock Log Event ID 4104 with SYSVOL path construction and file write commands.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1484.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1484Domain or Tenant Policy Modification

Related Sub-techniques

T1484.002Trust Modification

Related Techniques

T1484Domain or Tenant Policy ModificationT1053.005Scheduled TaskT1562.001Disable or Modify ToolsT1136.002Domain AccountT1098Account ManipulationT1569.002Service ExecutionT1105Ingress Tool TransferT1078.002Domain AccountsT1558Steal or Forge Kerberos TicketsT1003.003NTDS

Same Tactic: Defense Evasion

Popular Detections