Windows Default Domain GPO Modification
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
Sigma rule (View on GitHub)
1title: Windows Default Domain GPO Modification
2id: e5ac86dd-2da1-454b-be74-05d26c769d7d
3related:
4 - id: dcff7e85-d01f-4eb5-badd-84e2e6be8294
5 type: similar
6status: experimental
7description: |
8 Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
9 Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
10references:
11 - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
12 - https://adsecurity.org/?p=3377
13 - https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
14 - https://jgspiers.com/audit-group-policy-changes/
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-11-22
17tags:
18 - attack.defense-evasion
19 - attack.privilege-escalation
20 - attack.t1484.001
21logsource:
22 product: windows
23 service: security
24 definition: |
25 Enable 'Audit Directory Service Changes' in the Default Domain Controllers Policy under:
26 Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> DS Access -> Audit Directory Service Changes (Success).
27 Additionally, proper SACL needs to be configured on the 'CN=Policies,CN=System,DC=<domain>,DC=<tld>' container in Active Directory to capture changes to Group Policy Objects.
28detection:
29 selection:
30 EventID: 5136
31 ObjectClass: 'groupPolicyContainer'
32 ObjectDN|startswith:
33 - 'CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Policy
34 - 'CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Controllers Policy
35 condition: selection
36falsepositives:
37 - Legitimate modifications to Default Domain or Default Domain Controllers GPOs
38level: medium
References
-
An analysis of the Gentlemen ransomware group, which employs advanced, adaptive tactics, techniques, and procedure to target critical industries worldwide.
Read More -
Active Directory security effectively begins with ensuring Domain Controllers (DCs) are configured securely. At BlackHat USA this past Summer, I spoke about AD for the security professional and provided tips on how to best secure Active Directory. This post focuses on Domain Controller security with some cross-over into Active Directory security. The blog is called ...
Read More -
TL;DR The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog post takes a deep dive into what steps were taken to find out why domain joined machines are needed in the first place and what […]
Read More -
Auditing Group Policy changes is a good practice to apply to ensure no settings are removed or added that could affect end-user experience. This should apply to every environment, as such it is equ...
Read More
Related rules
- Windows Default Domain GPO Modification via GPME
- Group Policy Abuse for Privilege Addition
- Startup/Logon Script Added to Group Policy Object
- Modify Group Policy Settings
- Modify Group Policy Settings - ScriptBlockLogging