Tag

Group-Policy

5 briefs RSS

Group Policy Abuse for Privilege Addition

Detects modifications to Group Policy Object Attributes that grant privileges to user accounts or add users as local administrators, indicating potential privilege escalation attempts.

Active Directory +1 group-policy privilege-escalation windows

2r 1t May 12, 2026

medium advisory

GPO Scheduled Task or Service Creation/Modification

2 rules 3 TTPs

Detection of the creation or modification of new Group Policy based scheduled tasks or services, which can be abused by attackers with domain admin permissions to execute malicious payloads remotely on domain-joined machines, leading to privilege escalation and persistence.

Elastic Defend +2 group-policy privilege-escalation persistence windows

2r 3t Jan 3, 2024

medium advisory

GPO Scheduled Task Abuse for Privilege Escalation and Lateral Movement

2 rules 3 TTPs

Attackers abuse Group Policy Objects by modifying scheduled task attributes to execute malicious commands across objects controlled by the GPO, potentially leading to privilege escalation and lateral movement.

group-policy scheduled-task privilege-escalation lateral-movement

2r 3t Jan 3, 2024

medium advisory

GPO Modification to Add Startup/Logon Scripts

2 rules 3 TTPs

This rule detects the modification of Group Policy Objects (GPO) to add a startup or logon script to user or computer objects, enabling attackers to achieve privilege escalation and persistence by executing arbitrary commands at scale.

group-policy privilege-escalation persistence windows

2r 3t Jan 3, 2024

medium advisory

Active Directory Group Policy Deletion Detected

2 rules 2 TTPs

Detection of Active Directory Group Policy deletion using event ID 5136, indicating potential malicious activity or misconfiguration.

Splunk Enterprise +2 active-directory group-policy gpo deletion t1484.001

2r 2t Jan 3, 2024