Detectionmediumtest
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Elastic Security, Josh Nickels, Marius RothenbücherCreated Wed Sep 041c480e10-7ee1-46d4-8ed2-85f9789e3ce4windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Definition
Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events.
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 5136
AttributeLDAPDisplayName: 'gPCMachineExtensionNames'
AttributeValue|contains:
- '827D319E-6EAC-11D2-A4EA-00C04F79F83A'
- '803E14A0-B4FB-11D0-A0D0-00A0C90F574B'
condition: selectionFalse Positives
Users allowed to perform these modifications (user found in field SubjectUserName)
References
MITRE ATT&CK
Rule Metadata
Rule ID
1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
Status
test
Level
medium
Type
Detection
Created
Wed Sep 04
Path
rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1484.001