This note documents detection patterns related to SYSVOL GPO Tampering within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5145 | Network share accessed | Critical | Access to SYSVOL policy files. |
| Security | 4663 | Object access | Critical | Modification of files inside SYSVOL. |
| Sysmon | 11 | File created | High | New script or payload dropped. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Script changes in policy folder | Startup/logon scripts altered | Critical | Execution across domain. |
| Registry.pol modification | Policy registry changes | High | Used for configuration abuse. |
| Unexpected file timestamps | Modified policy files | High | Possible tampering. |
Common Tools
| Tool | Usage |
|---|---|
| Manual file editing | Direct SYSVOL modification. |
| SharpGPOAbuse | Deploys payloads via SYSVOL. |
| PowerShell | Script deployment. |
Relevant Artifacts
- SYSVOL file system
- Policy GUID folders
- MFT timestamps
- EDR telemetry
- Security logs
MITRE ATT&CK References
- T1484 Domain Policy Modification
Decision Tree
- Detect SYSVOL file modification.
- Identify modifying account.
- Identify modified policy GUID.
- Inspect script or payload.
- Determine impacted hosts.
Example Detection Templates
KQL
SecurityEvent
| where EventID in (4663,5145)
| where ObjectName contains "SYSVOL"
Sigma
title: SYSVOL Policy Tampering
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4663
- 5145
condition: selection
level: high