title: Group Policy Modification (T1484.001)
id: df00tech-t1484-001
status: experimental
description: "Adversaries may modify Group Policy Objects (GPOs) to subvert intended access controls across a Windows domain, typically to escalate privileges, disable security tools, or enable mass payload distribution. GPOs stored in SYSVOL control centralized user and computer settings across Active Directory environments. Malicious GPO modifications can deploy scheduled tasks, create accounts, grant dangerous privileges like SeEnableDelegationPrivilege, or push ransomware to every domain-joined machine simultaneously. LockBit 2.0/3.0 and Qilin ransomware modified GPOs to disable Windows Defender and propagate malware domain-wide. APT41 used GPO-deployed scheduled tasks for coordinated ransomware deployment. Indrik Spider (Evil Corp), Cinnamon Tempest, and Storm-0501 have all leveraged GPO modification for lateral movement and payload execution at scale. The Empire framework's New-GPOImmediateTask cmdlet and SharpGPOAbuse tool provide ready-made capabilities for GPO abuse by threat actors with sufficient AD permissions."
references:
  - https://attack.mitre.org/techniques/T1484/001/
  - https://df00tech.com/detections/T1484.001
author: df00tech
date: 2026/04/19
tags:
  - attack.t1484.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate IT administrators using Group Policy Management Console (GPMC) or PowerShell RSAT modules during approved change management windows — generates 5136 events for every modified attribute
  - "Microsoft Endpoint Configuration Manager (MECM/SCCM) or Microsoft Intune modifying GPOs for software deployment, compliance baselines, or device enrollment — look for SYSTEM or service account context"
  - "Automated patch management and security hardening tools (CIS-CAT, Tenable, Rapid7) that adjust GPO settings as part of compliance scanning or remediation"
  - GPO backup and restore operations by domain administrators generating large volumes of 5136 events across all policy objects simultaneously
  - Domain join provisioning processes and Autopilot/MDM enrollment that create or link GPOs as part of device onboarding workflows
level: high