This note documents detection patterns related to GPO Creation Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5137 | Directory object created | Critical | New GPO object created. |
| Security | 5136 | Directory object modified | High | New GPO attributes configured. |
| Security | 5145 | Network share accessed | Medium | SYSVOL policy directory created. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| New policy GUID folder | New directory under SYSVOL Policies | Critical | Indicates new GPO. |
| Immediate policy linking | Policy linked to domain or OU quickly | High | Suspicious deployment. |
| Scripts inside new GPO | Startup or logon scripts added | Critical | Payload delivery mechanism. |
Common Tools
| Tool | Usage |
|---|---|
| SharpGPOAbuse | Creates malicious GPO. |
| PowerShell | New-GPO command abuse. |
| PowerView | Policy enumeration and manipulation. |
Relevant Artifacts
- SYSVOL Policies directory
- GPT.ini
- Policy scripts
- Security logs
- EDR telemetry
MITRE ATT&CK References
- T1484 Domain Policy Modification
Decision Tree
- Identify GPO creation event.
- Determine creator account.
- Inspect SYSVOL directory for payload.
- Check policy links.
- Identify impacted systems.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5137
EQL
any where event.code == "5137"
Sigma
title: New GPO Created
logsource:
product: windows
service: security
detection:
selection:
EventID: 5137
condition: selection
level: medium
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Permissions | Limit who can create GPOs | Critical | Reduces attack surface. |
| Monitoring | Alert on GPO creation | High | Detects persistence attempts. |