Windows Default Domain GPO Modification via GPME
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
Sigma rule (View on GitHub)
1title: Windows Default Domain GPO Modification via GPME
2id: dcff7e85-d01f-4eb5-badd-84e2e6be8294
3related:
4 - id: e5ac86dd-2da1-454b-be74-05d26c769d7d
5 type: similar
6status: experimental
7description: |
8 Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
9 Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
10references:
11 - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
12 - https://adsecurity.org/?p=3377
13 - https://sdmsoftware.com/general-stuff/launching-the-new-gp-management-editor-from-the-command-line/
14 - https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
15author: TropChaud
16date: 2025-11-22
17tags:
18 - attack.defense-evasion
19 - attack.privilege-escalation
20 - attack.t1484.001
21logsource:
22 product: windows
23 category: process_creation
24detection:
25 # "C:\Windows\System32\gpme.msc" /s /gpobject:"LDAP://<REDACTED>/cn<REDACTED>,cnpolicies,cnsystem,DC<REDACTED>,DClocal"
26 selection_mmc:
27 - Image|endswith: '\mmc.exe'
28 - OriginalFileName: 'MMC.exe'
29 selection_gpme:
30 CommandLine|contains|all:
31 - 'gpme.msc'
32 - 'gpobject:'
33 selection_default_gpos:
34 CommandLine|contains:
35 - '31B2F340-016D-11D2-945F-00C04FB984F9' # Default Domain Policy GUID
36 - '6AC1786C-016F-11D2-945F-00C04FB984F9' # Default Domain Controllers Policy GUID
37 condition: all of selection_*
38falsepositives:
39 - Legitimate use of GPME to modify GPOs
40level: medium
References
-
An analysis of the Gentlemen ransomware group, which employs advanced, adaptive tactics, techniques, and procedure to target critical industries worldwide.
Read More -
Active Directory security effectively begins with ensuring Domain Controllers (DCs) are configured securely. At BlackHat USA this past Summer, I spoke about AD for the security professional and provided tips on how to best secure Active Directory. This post focuses on Domain Controller security with some cross-over into Active Directory security. The blog is called ...
Read More -
If you’ve installed the new Remote Server Administration Tools (RSAT) on Vista, SP1, you will notice some subtle changes in the Group Policy Editor. Namely, if you type gpedit.msc like you used to in the pre-RSAT days, you will still launch the GP Editor, focused on the local GPO, but you won’t see the new Group […]
Read More -
TL;DR The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog post takes a deep dive into what steps were taken to find out why domain joined machines are needed in the first place and what […]
Read More
Related rules
- Windows Default Domain GPO Modification
- Group Policy Abuse for Privilege Addition
- Startup/Logon Script Added to Group Policy Object
- Modify Group Policy Settings
- Modify Group Policy Settings - ScriptBlockLogging