Skip to content

Hide Navigation Hide TOC

Windows Default Domain GPO Modification via GPME (dcff7e85-d01f-4eb5-badd-84e2e6be8294)

Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Default Domain GPO Modification via GPME (dcff7e85-d01f-4eb5-badd-84e2e6be8294) Sigma-Rules Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 1
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 2