This note documents detection patterns related to GPO Link Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | Critical | gPLink attribute changed. |
| Security | 4739 | Domain policy changed | High | Policy linking affecting domain. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| gPLink attribute modification | Policy linked to new OU or domain | Critical | Indicates policy deployment. |
| Policy affecting many hosts | Large scope OU targeted | High | Mass compromise vector. |
| Domain Controllers OU linked | Policy targeting DCs | Critical | High impact attack. |
Common Tools
| Tool | Usage |
|---|---|
| SharpGPOAbuse | Links malicious policy. |
| PowerView | Manipulates policy links. |
| PowerShell | New-GPLink usage. |
Relevant Artifacts
- Active Directory object metadata
- SYSVOL policies
- Security logs
- EDR telemetry
MITRE ATT&CK References
- T1484 Domain Policy Modification
Decision Tree
- Detect gPLink modification.
- Identify linked GPO.
- Identify scope of deployment.
- Inspect payload inside policy.
- Identify affected hosts.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5136
| where AttributeLDAPDisplayName == "gPLink"
Sigma
title: Suspicious GPO Link Change
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
condition: selection
level: high