Group Policy Abuse for Privilege Addition

  1[metadata]
  2creation_date = "2021/11/08"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or
 11use them to add users as local admins.
 12"""
 13index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 14language = "eql"
 15license = "Elastic License v2"
 16name = "Group Policy Abuse for Privilege Addition"
 17references = [
 18    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
 19    "https://labs.withsecure.com/tools/sharpgpoabuse",
 20]
 21risk_score = 73
 22rule_id = "b9554892-5e0e-424b-83a0-5aef95aa43bf"
 23severity = "high"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Privilege Escalation",
 29    "Data Source: Active Directory",
 30    "Resources: Investigation Guide",
 31    "Use Case: Active Directory Monitoring",
 32    "Data Source: Windows Security Event Logs",
 33]
 34timestamp_override = "event.ingested"
 35type = "eql"
 36
 37query = '''
 38any where host.os.type == "windows" and event.code: "5136" and
 39  winlog.event_data.AttributeLDAPDisplayName: "gPCMachineExtensionNames" and
 40  winlog.event_data.AttributeValue: "*827D319E-6EAC-11D2-A4EA-00C04F79F83A*" and
 41  winlog.event_data.AttributeValue: "*803E14A0-B4FB-11D0-A0D0-00A0C90F574B*"
 42'''
 43
 44note = """## Triage and analysis
 45
 46### Investigating Group Policy Abuse for Privilege Addition
 47#### Possible investigation steps
 48
 49- What GPO extension change was preserved?
 50  - Focus: `winlog.event_data.AttributeLDAPDisplayName`, `winlog.event_data.AttributeValue`, `winlog.event_data.OperationType`, `winlog.event_data.ObjectDN`, and `winlog.event_data.ObjectGUID` confirm the 5136 "gPCMachineExtensionNames" GPO change.
 51  - Implication: escalate when the value enables Security CSE GUID "827D319E-6EAC-11D2-A4EA-00C04F79F83A" plus Computer Restricted Groups GUID "803E14A0-B4FB-11D0-A0D0-00A0C90F574B" on an unexpected GPO; lower concern only when artifacts/scope confirm a recognized hardening refresh.
 52- Who changed the GPO, and from where?
 53  - Focus: identify the writer: `winlog.event_data.SubjectUserSid`, `winlog.event_data.SubjectUserName`, `winlog.event_data.SubjectLogonId`, and `winlog.computer_name`.
 54  - Hint: on `winlog.computer_name`, find "4624" where `winlog.event_data.TargetLogonId` equals the 5136 `winlog.event_data.SubjectLogonId`; search "4648" on `winlog.event_data.SubjectLogonId` for explicit credentials, then check `source.ip`, `winlog.logon.type`, `winlog.event_data.TargetUserName`, and `winlog.event_data.TargetServerName`. Missing logon telemetry is unresolved, not benign.
 55    - $investigate_0
 56    - $investigate_1
 57  - Implication: escalate when the writer is outside GPO admin cohort, uses an unusual source or direct domain-controller session, or shows alternate-credential use; lower concern when account/session match a recognized GPO administration path.
 58- Do surrounding directory changes show a coordinated GPO update?
 59  - Why: "5136" can record related object modifications; `winlog.event_data.OpCorrelationID` separates one GPO edit from directory noise.
 60  - Focus: reconstruct surrounding "5136" records from the same domain controller with `winlog.event_data.OpCorrelationID`, `winlog.event_data.SubjectLogonId`, `winlog.event_data.ObjectGUID`, changed attribute, and operation type.
 61  - Hint: prefer one `winlog.event_data.OpCorrelationID`; if absent, use the same `winlog.event_data.SubjectLogonId` plus tight `@timestamp` and `winlog.record_id` ordering. $investigate_2
 62  - Implication: escalate when the operation touches other sensitive GPO attributes or combines this privilege path with GPO execution or persistence; lower concern when the 5136 set stays narrow and artifact/scope checks confirm one recognized security-template task.
 63- What grants and recipients does the SYSVOL template define?
 64  - Why: the alert proves machine security extensions were enabled; rights or local group membership live in "GptTmpl.inf" under the SYSVOL policy folder.
 65  - Focus: use the policy GUID from the CN portion of `winlog.event_data.ObjectDN` with `winlog.event_data.DSName` to inspect "Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf"; map SIDs/groups to admin tier, service-account role, and whether `winlog.event_data.SubjectUserSid` benefits. Treat `winlog.event_data.ObjectGUID` as the AD object pivot, not the SYSVOL folder name, unless it matches the CN.
 66  - Hint: if SYSVOL is unavailable, preserve `winlog.event_data.ObjectDN`, `winlog.event_data.ObjectGUID`, `winlog.event_data.DSName`, and expected policy path; suspicious writer/session or companion 5136 evidence makes the missing grant an evidence gap.
 67  - Implication: escalate when "[Privilege Rights]" grants high-impact rights ("SeDebugPrivilege", "SeTakeOwnershipPrivilege", "SeEnableDelegationPrivilege", or "SeImpersonatePrivilege"), when "[Group Membership]" adds broad/unexpected identities to local Administrators ("S-1-5-32-544"), or when the writer benefits; lower concern when entries and recipients match the recognized baseline for that GPO.
 68- Which computers consume the changed GPO?
 69  - Why: GPO privilege abuse scales with link scope, security filtering, WMI filters, and reach to admin workstations, servers, or domain controllers.
 70  - Focus: use `winlog.event_data.ObjectDN` and the recovered policy-folder GUID to review GPO links, security filtering, WMI filters, and roles.
 71  - Hint: if scope data is unavailable, preserve `winlog.event_data.ObjectDN` and `winlog.event_data.ObjectGUID`; do not assume narrow scope, and escalate if writer/session, companion-change, or grant evidence is suspicious.
 72  - Implication: prioritize escalation when the GPO reaches domain controllers, admin workstations, servers, or broad workstations; lower urgency only when scope matches the recognized maintenance/test population established by the grant evidence.
 73- If evidence remains suspicious or unresolved, do related events show broader abuse?
 74  - Focus: after confirming `user.id` is the writer, review recent modifying-account activity. $investigate_3
 75  - Hint: compare with activity scoped to the same `winlog.event_data.ObjectGUID`. $investigate_4
 76  - Implication: escalate scope when the writer or same GPO appears in other GPO abuse, credential access, privilege escalation, or lateral movement; quiet history only narrows scope and cannot close unresolved grant or blast-radius questions.
 77- Escalate for unexpected writer/session, companion change, high-impact grant, sensitive scope, or related abuse; close only when the same GPO, writer/session, recovered grants, and scope prove one recognized hardening or restricted-groups workflow; if evidence stays mixed or incomplete, preserve GPO artifacts and escalate.
 78
 79### False positive analysis
 80
 81- Authorized GPO hardening, restricted-groups maintenance, red-team, or detection-validation can update "gPCMachineExtensionNames" and "GptTmpl.inf". Confirm only when writer/session, GPO object, `winlog.event_data.OpCorrelationID`, recovered template entries, and linked scope match the admin tier, change window, template, or test plan. Quiet history supports but cannot replace that proof; if any anchor diverges, do not close as benign.
 82- For exceptions, validate one authorized workflow matching writer SID, GPO object, grant pattern, and linked OU/host scope. Build the exception from that pattern, not broad `event.code`, "gPCMachineExtensionNames", or GPO modification activity.
 83
 84### Related rules
 85
 86- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e
 87- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046
 88
 89### Response and remediation
 90
 91- If confirmed benign, reverse temporary containment and document writer SID, GPO object, logon/correlation IDs, recovered "GptTmpl.inf", and OU/host scope matching the workflow. Keep exceptions narrow and tied to that stable pattern.
 92- If suspicious but unconfirmed, preserve the "5136" event, object and writer/session IDs, `winlog.event_data.OpCorrelationID`, `winlog.computer_name`, exported "GptTmpl.inf", available SYSVOL metadata, linked "4624"/"4648" events, and related activity before containment. Use reversible controls first: restrict affected-GPO edits, limit the writer's GPO admin path, or monitor linked systems during scoping. Disable accounts or roll back GPOs only if follow-on abuse or malicious grants are confirmed.
 93- If confirmed malicious, preserve evidence first, remove unauthorized "[Privilege Rights]" or "[Group Membership]" entries, roll the GPO back to known-good state, and verify exported SYSVOL metadata before forcing policy refresh. Use identity/endpoint response to contain the writer account and admin workstation identified by `source.ip` or `winlog.logon.type`; if unavailable, escalate with writer/session, GPO, correlation, and SYSVOL artifacts.
 94- Review linked OUs and affected computers before deleting artifacts or forcing "gpupdate"; complete scoping before evidence changes.
 95- Harden: restrict GPO edit rights to dedicated admin tiers, retain "5136" auditing, keep security-template baselines, and document abuse variants or visibility gaps for detection engineering.
 96"""
 97
 98setup = """## Setup
 99
100Audit Directory Service Changes must be enabled to generate the events used by this rule.
101Setup instructions: https://ela.st/audit-directory-service-changes
102"""
103
104[rule.investigation_fields]
105field_names = [
106    "@timestamp",
107    "user.id",
108    "winlog.event_data.SubjectUserName",
109    "winlog.event_data.SubjectUserSid",
110    "winlog.event_data.SubjectLogonId",
111    "winlog.event_data.ObjectDN",
112    "winlog.event_data.ObjectGUID",
113    "winlog.event_data.AttributeLDAPDisplayName",
114    "winlog.event_data.AttributeValue",
115    "winlog.event_data.OperationType",
116    "winlog.event_data.OpCorrelationID",
117    "winlog.event_data.DSName",
118    "host.id",
119    "winlog.computer_name",
120]
121
122[transform]
123
124[[transform.investigate]]
125label = "Linked logon for the GPO writer"
126description = ""
127providers = [
128  [
129    { excluded = false, field = "winlog.computer_name", queryType = "phrase", value = "{{winlog.computer_name}}", valueType = "string" },
130    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" },
131    { excluded = false, field = "winlog.event_data.TargetLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" }
132  ]
133]
134relativeFrom = "now-24h/h"
135relativeTo = "now"
136
137[[transform.investigate]]
138label = "Explicit-credential events for the GPO writer"
139description = ""
140providers = [
141  [
142    { excluded = false, field = "winlog.computer_name", queryType = "phrase", value = "{{winlog.computer_name}}", valueType = "string" },
143    { excluded = false, field = "event.code", queryType = "phrase", value = "4648", valueType = "string" },
144    { excluded = false, field = "winlog.event_data.SubjectLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" }
145  ]
146]
147relativeFrom = "now-24h/h"
148relativeTo = "now"
149
150[[transform.investigate]]
151label = "5136 events in this GPO change operation"
152description = ""
153providers = [
154  [
155    { excluded = false, field = "winlog.computer_name", queryType = "phrase", value = "{{winlog.computer_name}}", valueType = "string" },
156    { excluded = false, field = "event.code", queryType = "phrase", value = "5136", valueType = "string" },
157    { excluded = false, field = "winlog.event_data.OpCorrelationID", queryType = "phrase", value = "{{winlog.event_data.OpCorrelationID}}", valueType = "string" }
158  ],
159  [
160    { excluded = false, field = "winlog.computer_name", queryType = "phrase", value = "{{winlog.computer_name}}", valueType = "string" },
161    { excluded = false, field = "event.code", queryType = "phrase", value = "5136", valueType = "string" },
162    { excluded = false, field = "winlog.event_data.SubjectLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" }
163  ]
164]
165relativeFrom = "now-1h"
166relativeTo = "now"
167
168[[transform.investigate]]
169label = "Recent events associated with the source account"
170description = ""
171providers = [
172  [
173    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
174  ]
175]
176relativeFrom = "now-48h/h"
177relativeTo = "now"
178
179[[transform.investigate]]
180label = "Events associated with the modified GPO"
181description = ""
182providers = [
183  [
184    { excluded = false, field = "winlog.event_data.ObjectGUID", queryType = "phrase", value = "{{winlog.event_data.ObjectGUID}}", valueType = "string" }
185  ]
186]
187relativeFrom = "now-48h/h"
188relativeTo = "now"
189
190[[rule.threat]]
191framework = "MITRE ATT&CK"
192
193[[rule.threat.technique]]
194id = "T1484"
195name = "Domain or Tenant Policy Modification"
196reference = "https://attack.mitre.org/techniques/T1484/"
197
198[[rule.threat.technique.subtechnique]]
199id = "T1484.001"
200name = "Group Policy Modification"
201reference = "https://attack.mitre.org/techniques/T1484/001/"
202
203[rule.threat.tactic]
204id = "TA0004"
205name = "Privilege Escalation"
206reference = "https://attack.mitre.org/tactics/TA0004/"