Windows Default Domain GPO Modification

 1title: Windows Default Domain GPO Modification
 2id: e5ac86dd-2da1-454b-be74-05d26c769d7d
 3related:
 4    - id: dcff7e85-d01f-4eb5-badd-84e2e6be8294
 5      type: similar
 6status: experimental
 7description: |
 8    Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
 9    Adversaries may modify these default GPOs to deploy malicious configurations across the domain.    
10references:
11    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
12    - https://adsecurity.org/?p=3377
13    - https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
14    - https://jgspiers.com/audit-group-policy-changes/
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-11-22
17tags:
18    - attack.privilege-escalation
19    - attack.defense-impairment
20    - attack.t1484.001
21logsource:
22    product: windows
23    service: security
24    definition: |
25        Enable 'Audit Directory Service Changes' in the Default Domain Controllers Policy under:
26        Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> DS Access -> Audit Directory Service Changes (Success).
27        Additionally, proper SACL needs to be configured on the 'CN=Policies,CN=System,DC=<domain>,DC=<tld>' container in Active Directory to capture changes to Group Policy Objects.        
28detection:
29    selection:
30        EventID: 5136
31        ObjectClass: 'groupPolicyContainer'
32        ObjectDN|startswith:
33            - 'CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Policy
34            - 'CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Controllers Policy
35    condition: selection
36falsepositives:
37    - Legitimate modifications to Default Domain or Default Domain Controllers GPOs
38level: medium

References

• https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html

  
  Read More

• https://adsecurity.org/?p=3377

  
  Read More

• https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/

  
  Read More

• https://jgspiers.com/audit-group-policy-changes/

  
  Read More

Related rules

• Group Policy Abuse for Privilege Addition
• Modify Group Policy Settings
• Modify Group Policy Settings - ScriptBlockLogging
• Startup/Logon Script Added to Group Policy Object
• Windows Default Domain GPO Modification via GPME