DET0305 Detection of Group Policy Modifications via AD Object Changes and File Activity

Item	Value
ID	DET0305
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1484.001 (Group Policy Modification)

Analytics

Windows

AN0854

Adversary modifies GPO containers or files under SYSVOL using LDAP, ADSI, PowerShell (e.g., New-GPOImmediateTask) or GUI tools. This includes directory object changes (e.g., gPCFileSysPath), delegation assignments (SeEnableDelegationPrivilege), and SYSVOL file writes (ScheduledTasks.xml, GptTmpl.inf).

Log Sources

Data Component	Name	Channel
Active Directory Object Modification (DC0066)	WinEventLog:Security	EventCode=5136
File Modification (DC0061)	WinEventLog:Security	EventCode=4663, 4670, 4656
User Account Modification (DC0010)	WinEventLog:Security	EventCode=4704
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11

Mutable Elements

Field	Description
ObjectDN	Focus detection on AD paths like CN=Policies,CN=System,DC=domain,DC=com.
TargetFilename	Target specific files like ScheduledTasks.xml or GptTmpl.inf in SYSVOL.
TimeWindow	Correlate GPO object change and SYSVOL file modification within N seconds.
UserContext	Alert on unexpected modification by non-admins or uncommon accounts.
CommandLine	Flag usage of GPO manipulation tools like Set-GPRegistryValue, New-GPOImmediateTask.