Name:Windows Admon Group Policy Object Created id:69201633-30d9-48ef-b1b6-e680805f0582 version:4 date:2024-09-30 author:Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic detects the creation of a new Group Policy Object (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, excluding default "New Group Policy Object" entries. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security. Data_source:
-Windows Active Directory Admon
search:`admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`
how_to_implement:To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory known_false_positives:Group Policy Objects are created as part of regular administrative operations, filter as needed. References: -https://attack.mitre.org/techniques/T1484/ -https://attack.mitre.org/techniques/T1484/001 -https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ -https://adsecurity.org/?p=2716 -https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory drilldown_searches: name:'View the detection results for - "$dcName$"' search:'%original_detection_search% | search dcName = "$dcName$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dcName$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Active Directory Privilege Escalation' - 'Sneaky Active Directory Persistence Tricks' asset_type:Endpoint confidence:50 impact:100 message:A new group policy objected was created on $dcName$ mitre_attack_id: - 'T1484' - 'T1484.001' observable: name:'dcName' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'admonEventType' - 'objectCategory' - 'displayName' - 'gPCFileSysPath' - 'dcName' risk_score:50 security_domain:endpoint