Windows Default Domain GPO Modification via GPME

Original Source: [Sigma source]
Title: Windows Default Domain GPO Modification via GPME
Status: experimental
Description:Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
References:
  -https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
   -https://adsecurity.org/?p=3377
   -https://sdmsoftware.com/general-stuff/launching-the-new-gp-management-editor-from-the-command-line/
   -https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
 Author: TropChaud
Date: 2025-11-22
modified:None
Tags:
  • -'attack.defense-evasion'
  • -'attack.privilege-escalation'
  • -'attack.t1484.001'
Logsource:
  • product: windows
  • category: process_creation
Detection:
  selection_mmc:
Image|endswith:'\mmc.exe' OriginalFileName:'MMC.exe'   selection_gpme:
    CommandLine|contains|all:
      -'gpme.msc'
      -'gpobject:'

  selection_default_gpos:
    CommandLine|contains:
      -'31B2F340-016D-11D2-945F-00C04FB984F9'
      -'6AC1786C-016F-11D2-945F-00C04FB984F9'

  condition:all of selection_*
Falsepositives:
  -Legitimate use of GPME to modify GPOs
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.