/
windows_default_group_policy_object_modified_with_gpme.yml
93 lines (93 loc) · 4.15 KB
/
windows_default_group_policy_object_modified_with_gpme.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Windows Default Group Policy Object Modified with GPME
id: eaf688b3-bb8f-454d-b105-920a862cd8cb
version: 1
date: '2023-04-24'
author: Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
- Sysmon EventID 1
description: The following analytic leverages the Endpoint datamodel to identify the
potential edition of a default Group Policy Object. A fresh installation of an Active
Directory network will typically contain two default group policy objects `Default
Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers
policy is used to enforce and set policies to all the domain controllers within
the domain environment. The default domain policy is linked to all users and computers
by default. An adversary who has obtained privileged access to an Active Directory
network may modify the default group policy objects to obtain further access, deploy
persistence or execute malware across a large number of hosts. Security teams should
monitor the edition of the default GPOs.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe
(Processes.process =*gpme.msc*) AND (Processes.process = "*31B2F340-016D-11D2-945F-00C04FB984F9*"
OR Processes.process = "*6AC1786C-016F-11D2-945F-00C04fB984F9*" ) by Processes.dest
Processes.user Processes.parent_process_name Processes.process_name Processes.process
Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: The default Group Policy Objects within an AD network may be
legitimately updated for administrative operations, filter as needed.
references:
- https://attack.mitre.org/techniques/T1484/
- https://attack.mitre.org/techniques/T1484/001
- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/
- https://adsecurity.org/?p=2716
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)
tags:
analytic_story:
- Active Directory Privilege Escalation
- Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
confidence: 50
impact: 100
message: A default group policy object was opened with Group Policy Manage Editor
on $dest$
mitre_attack_id:
- T1484
- T1484.001
observable:
- name: dest
type: Hostname
role:
- Victim
- name: parent_process_name
type: Process
role:
- Parent Process
- name: process_name
type: Process
role:
- Child Process
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process_name
- Processes.parent_process
- Processes.original_file_name
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_path
- Processes.process_path
- Processes.parent_process_id
risk_score: 50
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog