Windows Admon Group Policy Object Created

Original Source: [splunk source]
Name:Windows Admon Group Policy Object Created
id:69201633-30d9-48ef-b1b6-e680805f0582
version:4
date:2024-09-30
author:Mauricio Velazco, Splunk
status:production
type:TTP
Description:The following analytic detects the creation of a new Group Policy Object (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, excluding default "New Group Policy Object" entries. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security.
Data_source:
  • -Windows Active Directory Admon
search:`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object"
| stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_admon_group_policy_object_created_filter`


how_to_implement:To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory
known_false_positives:Group Policy Objects are created as part of regular administrative operations, filter as needed.
References:
  -https://attack.mitre.org/techniques/T1484/
  -https://attack.mitre.org/techniques/T1484/001
  -https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/
  -https://adsecurity.org/?p=2716
  -https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory
drilldown_searches:
name:'View the detection results for - "$dcName$"'
search:'%original_detection_search% | search dcName = "$dcName$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$dcName$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Active Directory Privilege Escalation'
    - 'Sneaky Active Directory Persistence Tricks'
  asset_type:Endpoint
  confidence:50
  impact:100
  message:A new group policy objected was created on $dcName$
  mitre_attack_id:
    - 'T1484'
    - 'T1484.001'
  observable:
    name:'dcName'
    type:'Endpoint'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'admonEventType'
    - 'objectCategory'
    - 'displayName'
    - 'gPCFileSysPath'
    - 'dcName'
  risk_score:50
  security_domain:endpoint

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log
  source: ActiveDirectory
  sourcetype: ActiveDirectory
manual_test:None