Skip to content

Hide Navigation Hide TOC

Windows Default Domain GPO Modification via GPME (dcff7e85-d01f-4eb5-badd-84e2e6be8294)

Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.

Cluster A Galaxy A Cluster B Galaxy B Level
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern Windows Default Domain GPO Modification via GPME (dcff7e85-d01f-4eb5-badd-84e2e6be8294) Sigma-Rules 1
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern 2