Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Sigma rule (View on GitHub)
1title: Group Policy Abuse for Privilege Addition
2id: 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
3status: experimental
4description: |
5 Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
6author: Elastic, Josh Nickels, Marius Rothenbücher
7references:
8 - https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275
9date: 2024-09-04
10tags:
11 - attack.privilege-escalation
12 - attack.t1484.001
13logsource:
14 product: windows
15 service: security
16 definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events.'
17detection:
18 selection:
19 EventID: 5136
20 AttributeLDAPDisplayName: 'gPCMachineExtensionNames'
21 AttributeValue|contains:
22 - '827D319E-6EAC-11D2-A4EA-00C04F79F83A'
23 - '803E14A0-B4FB-11D0-A0D0-00A0C90F574B'
24 condition: selection
25falsepositives:
26 - Users allowed to perform these modifications (user found in field SubjectUserName)
27level: medium
References
-
Group Policy Abuse for Privilege Addition edit Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local ...
Read More
Related rules
- Modify Group Policy Settings
- Modify Group Policy Settings - ScriptBlockLogging
- Certificate Use With No Strong Mapping
- Diamond Sleet APT Scheduled Task Creation
- Exploitation Indicators Of CVE-2023-20198