Group Policy Abuse for Privilege Addition

Rule Info

Name
Group Policy Abuse for Privilege Addition
Author
Elastic, Josh Nickels, Marius Rothenbücher
Description
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Reference
https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275
Date
2024-09-04 00:00:00
Modified
None
Id
1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
Tags
attack.privilege-escalation attack.t1484.001 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1c480e10-7ee1-46d4-8ed2-85f9789e3ce4

Rule History

Author
Title
Date
Commit
Josh
Merge PR #4999 from @joshnck - Add `Group Policy Abuse for Privilege Addition`
2024-09-06
06b116608
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022