Adversary modifies GPO containers or files under SYSVOL using LDAP, ADSI, PowerShell (e.g., New-GPOImmediateTask) or GUI tools. This includes directory object changes (e.g., gPCFileSysPath), delegation assignments (SeEnableDelegationPrivilege), and SYSVOL file writes (ScheduledTasks.xml, GptTmpl.inf).
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Modification (DC0066) | WinEventLog:Security | EventCode=5136,5137,5138,5139,5141 |
| File Modification (DC0061) | WinEventLog:Security | EventCode=4670 |
| User Account Modification (DC0010) | WinEventLog:Security | EventCode=4704 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| ObjectDN | Focus detection on AD paths like CN=Policies,CN=System,DC=domain,DC=com. |
| TargetFilename | Target specific files like ScheduledTasks.xml or GptTmpl.inf in SYSVOL. |
| TimeWindow | Correlate GPO object change and SYSVOL file modification within N seconds. |
| UserContext | Alert on unexpected modification by non-admins or uncommon accounts. |
| CommandLine | Flag usage of GPO manipulation tools like Set-GPRegistryValue, New-GPOImmediateTask. |