Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Sigma rule (View on GitHub)
1title: Group Policy Abuse for Privilege Addition
2id: 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
3status: test
4description: |
5 Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
6author: Elastic, Josh Nickels, Marius Rothenbücher
7references:
8 - https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275
9date: 2024-09-04
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1484.001
14logsource:
15 product: windows
16 service: security
17 definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events.'
18detection:
19 selection:
20 EventID: 5136
21 AttributeLDAPDisplayName: 'gPCMachineExtensionNames'
22 AttributeValue|contains:
23 - '827D319E-6EAC-11D2-A4EA-00C04F79F83A'
24 - '803E14A0-B4FB-11D0-A0D0-00A0C90F574B'
25 condition: selection
26falsepositives:
27 - Users allowed to perform these modifications (user found in field SubjectUserName)
28level: medium
References
-
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local...
Read More
Related rules
- Startup/Logon Script Added to Group Policy Object
- Modify Group Policy Settings
- Modify Group Policy Settings - ScriptBlockLogging
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation