{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1484.001/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["active-directory","group-policy","gpo","deletion","t1484.001"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection identifies when an Active Directory Group Policy Object (GPO) is deleted, potentially indicating malicious activity aimed at disrupting organizational policies or misconfigurations leading to unintended changes. The detection leverages Windows Event Log Security (event ID 5136) and Active Directory monitoring data to correlate the deletion event with the GPO name and the user responsible. It is important to investigate these events promptly, as GPO deletions can have significant impact on the security posture and functionality of a Windows domain. This alert helps defenders identify unauthorized or accidental GPO deletions, enabling rapid response and remediation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an account with sufficient privileges to manage Group Policy Objects (GPOs).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Group Policy Management Console (GPMC) or PowerShell cmdlets (e.g., \u003ccode\u003eRemove-GPO\u003c/code\u003e) to initiate the deletion of a targeted GPO.\u003c/li\u003e\n\u003cli\u003eThe deletion event generates Windows Security Event ID 5136, logging details of the object being modified (the GPO). The \u003ccode\u003eAttributeLDAPDisplayName\u003c/code\u003e is \u003ccode\u003egpLink\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe event includes OperationType codes %%14675 (old value) and %%14674 (new value) showing the before and after states of the GPO.\u003c/li\u003e\n\u003cli\u003eThe event also includes the \u003ccode\u003eObjectDN\u003c/code\u003e (Distinguished Name) of the deleted GPO.\u003c/li\u003e\n\u003cli\u003eActive Directory monitoring (\u003ccode\u003eadmon\u003c/code\u003e) events, specifically updates to \u003ccode\u003eGroup-Policy-Container\u003c/code\u003e, provide the \u003ccode\u003edisplayName\u003c/code\u003e of the GPO based on its \u003ccode\u003edistinguishedName\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egpLink\u003c/code\u003e attribute is removed from the affected Organizational Units (OUs) or domains where the GPO was applied, effectively removing the policies associated with that GPO.\u003c/li\u003e\n\u003cli\u003eThe deletion of the GPO can lead to changes in user and computer settings, potentially weakening security controls or disrupting normal operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of GPOs can severely impact an organization\u0026rsquo;s security posture. Deleted GPOs can lead to systems reverting to default configurations, removal of security policies, and potential exposure to vulnerabilities. The scope of impact depends on the criticality and scope of the deleted GPOs, ranging from affecting a small group of users to compromising the entire domain. This can lead to data breaches, system compromise, or disruption of services. Early detection and remediation are crucial to minimize potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure Active Directory auditing is enabled and ingesting Windows Security Event ID 5136 and Active Directory monitoring data. See the referenced Splunk Lantern article for guidance.\u003c/li\u003e\n\u003cli\u003eConfigure the \u003ccode\u003ewineventlog_security\u003c/code\u003e and \u003ccode\u003eadmon\u003c/code\u003e macros in your Splunk environment to point to the correct indexes as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;AD GPO Deleted via Event 5136\u0026rdquo; to detect GPO deletion events. Tune the rule\u0026rsquo;s filter (\u003ccode\u003ewindows_ad_gpo_deleted_filter\u003c/code\u003e) to exclude any known legitimate GPO deletion activities.\u003c/li\u003e\n\u003cli\u003eInvestigate all triggered alerts by examining the source user (\u003ccode\u003esrc_user\u003c/code\u003e) and the deleted GPO (\u003ccode\u003epolicyName\u003c/code\u003e) to determine if the deletion was authorized.\u003c/li\u003e\n\u003cli\u003eUtilize the provided drilldown searches to investigate the activity of the source user and any associated risk events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-ad-gpo-deleted/","summary":"Detection of Active Directory Group Policy deletion using event ID 5136, indicating potential malicious activity or misconfiguration.","title":"Active Directory Group Policy Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-ad-gpo-deleted/"}],"language":"en","title":"CraftedSignal Threat Feed — T1484.001","version":"https://jsonfeed.org/version/1.1"}