Windows AD GPO Disabled

This detection identifies when an Active Directory Group Policy (GPO) is disabled using the Group Policy Management Console. Disabling a GPO can be a sign of malicious activity, as attackers may attempt to weaken or bypass security controls. The detection focuses on changes to the flags attribute of GPO objects within Active Directory. It uses Windows Event Log Security event ID 5136 in conjunction with Active Directory monitoring (admon) data to correlate the event with the GPO’s display name. The disabling of GPOs could allow attackers to more easily move laterally within the network or achieve persistence. The event indicates whether the GPO is disabled for user configuration settings, computer configuration settings, or entirely disabled.

Attack Chain

1. An attacker gains privileged access to an Active Directory account with permissions to modify GPOs.
2. The attacker uses the Group Policy Management Console (GPMC) to access and modify a target GPO.
3. The attacker changes the flags attribute of the GPO, effectively disabling it. This triggers Windows Event ID 5136.
4. The event 5136 is logged in the Windows Security event log on the domain controller. The AttributeLDAPDisplayName is flags and OperationType is %%14674.
5. The change is replicated to other domain controllers in the Active Directory environment.
6. Active Directory monitoring tools capture the update event for the GPO, logging details such as the distinguishedName and displayName.
7. Security monitoring systems ingest both the Windows Security event log and the Active Directory monitoring data.
8. The detection correlates the event 5136 with the AD monitoring data using the ObjectDN to identify the disabled GPO by its displayName.

Impact

Successful disabling of Group Policy Objects can lead to a significant degradation of security posture. Attackers might disable policies that enforce password complexity, restrict software execution, or audit user activity. This can allow attackers to establish persistence, move laterally within the network, and compromise sensitive data with reduced risk of detection. The scope of impact depends on the role and scope of the disabled GPO.

Recommendation

• Enable Active Directory auditing, specifically event ID 5136, to capture GPO modifications, as described in the referenced Splunk Lantern article.
• Ensure the wineventlog_security and admon macros are correctly configured to point to the relevant indexes containing Windows Security event logs and Active Directory monitoring data.
• Deploy the provided Sigma rule Detect Windows AD GPO Disabled to identify instances of GPOs being disabled.
• Investigate any alerts generated by the Sigma rule, focusing on the source user (src_user) and the affected GPO (policyName).
• Monitor for unexpected changes to Group Policy settings, as disabling GPOs is not a routine administrative task.