Windows Default Domain GPO Modification via GPME

Rule Info

Name
Windows Default Domain GPO Modification via GPME
Author
TropChaud
Description
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
Reference
https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
Date
2025-11-22 00:00:00
Modified
None
Id
dcff7e85-d01f-4eb5-badd-84e2e6be8294
Tags
attack.defense-evasion attack.privilege-escalation attack.t1484.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=dcff7e85-d01f-4eb5-badd-84e2e6be8294

Rule History

Author
Title
Date
Commit
IntelScott
Merge PR #5717 from @tropChaud - Add and Enhance Windows Default Domain GPO & RDP Tampering Rules
2025-11-23
0d7658fb3
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022