This note documents detection patterns related to GPO Modification within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | Critical | Modification of Group Policy Container (GPC) attributes. |
| Security | 4739 | Domain policy changed | High | Domain-wide policy modification detected. |
| Security | 5145 | Network share accessed | High | Access to SYSVOL policy files. |
| Security | 4663 | Object access | Medium | File modification inside SYSVOL policy directory. |
| Sysmon | 1 | Process creation | Medium | Execution of GPO abuse tools. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| SYSVOL policy changes | Modification of files under Policies directory | Critical | Typical GPO payload deployment. |
| Startup scripts added | Scripts placed in Machine\Scripts\Startup | High | Used for mass execution. |
| Registry.pol changes | Modification of policy registry files | High | Used to deploy configuration payloads. |
| Scheduled tasks deployed via GPO | Tasks created across many machines | Critical | Often used for persistence. |
Common Tools
| Tool | Usage |
|---|---|
| SharpGPOAbuse | Modifies existing GPOs to deploy payloads. |
| PowerView | Enumerates and manipulates GPO permissions. |
| PowerShell GPO cmdlets | Administrative GPO modification. |
| Impacket | Used after compromise to manipulate policies. |
Relevant Artifacts
- SYSVOL directory
- GPT.ini
- registry.pol
- Startup and Logon scripts
- Domain controller security logs
- EDR telemetry
- File system metadata
MITRE ATT&CK References
- T1484 Domain Policy Modification
- T1484.001 Group Policy Modification
Decision Tree
- Detect policy modification event.
- Identify which GPO object changed.
- Identify modifying account.
- Pivot to SYSVOL policy files.
- Determine payload delivered.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5136
| where ObjectDN contains "Policies"
EQL
any where event.code == "5136"
Sigma
title: Suspicious GPO Modification
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
condition: selection
level: high
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Permissions | Restrict GPO editing rights | Critical | Reduces abuse risk. |
| Monitoring | Alert on GPO changes | High | Immediate detection. |
| Auditing | Enable directory service auditing | High | Captures modification events. |