Group Policy Modification

Group Policy Modification [T1484.001]

Information

Name: Group Policy Modification
ID: T1484.001
Tactics: ,
Technique:

Introduction

Group Policy Modification (T1484.001) is a sub-technique within MITRE ATT&CK's "Domain Policy Modification" technique (T1484). It involves adversaries manipulating Group Policy Objects (GPOs) within Active Directory environments to implement malicious configurations. Attackers may leverage this technique to achieve persistence, escalate privileges, impair defenses, or propagate malware across a network.

Deep Dive Into Technique

Group Policy Objects (GPOs) are a core component of Windows Active Directory environments, allowing administrators to centrally manage security and configuration settings across domain-joined systems. Attackers who gain sufficient privileges (typically Domain Administrator or equivalent) can modify existing GPOs or create new malicious GPOs to propagate unauthorized configuration changes.

Technical details and execution methods include:

GPO Modification:
- Attackers may edit existing GPO settings to weaken security policies, disable endpoint protection tools, or configure malicious scripts.
- Common targets include:
  - Security settings (e.g., disabling firewall, antivirus, or Windows Defender).
  - Startup or logon scripts that execute malicious payloads.
  - Registry settings that lower security posture or grant additional privileges.
Creation of Malicious GPOs:
- Adversaries may create entirely new GPOs to avoid detection and apply malicious configurations selectively to specific user groups or machines.
- Attackers may link malicious GPOs at various Active Directory levels (site, domain, organizational unit) to maximize coverage and impact.
Propagation and Enforcement:
- Once modified or created, GPOs are automatically propagated to domain-joined systems through periodic Group Policy refreshes (default interval: approximately every 90–120 minutes).
- Attackers can force immediate policy updates using tools like gpupdate or PowerShell commands, accelerating malicious policy enforcement.
Common Tools and Methods:
- Native Windows management tools such as Group Policy Management Console (GPMC) or PowerShell cmdlets (New-GPO, Set-GPRegistryValue, Invoke-GPUpdate).
- Third-party attack frameworks and tools such as PowerSploit, Empire, Mimikatz, and BloodHound to identify and exploit Group Policy vulnerabilities.

When this Technique is Usually Used

Group Policy Modification typically appears in the following attack scenarios and stages:

Persistence:
- Attackers establish persistent footholds by embedding malicious scripts or registry keys within GPOs, ensuring automatic execution upon system startup or user logon.
Privilege Escalation:
- Modifying GPO settings can grant attackers higher privileges or disable security controls, facilitating further lateral movement and privilege escalation.
Defense Evasion and Credential Access:
- Attackers disable security tools (antivirus, firewall, logging) through GPO modification to avoid detection and facilitate credential harvesting.
Impact and Disruption:
- Attackers leverage malicious GPOs to disrupt operations, degrade system integrity, or deploy ransomware payloads across multiple endpoints simultaneously.

How this Technique is Usually Detected

Detection methods and indicators of compromise (IoCs) include:

Monitoring GPO Changes:
- Regular monitoring and auditing of Group Policy Object changes via built-in Windows auditing mechanisms (Event Logs: Event IDs 5136, 5137, 5141).
- Use of specialized tools like Microsoft Advanced Threat Analytics (ATA), Microsoft Defender for Identity, or third-party SIEM solutions (Splunk, Elastic Security, IBM QRadar) to detect suspicious GPO modifications.
Baseline Comparisons:
- Maintaining baseline configurations and regularly comparing current GPO states to known-good baselines can highlight unauthorized changes.
PowerShell and Command-Line Auditing:
- Monitoring command-line executions and PowerShell activities related to Group Policy administration (New-GPO, Set-GPRegistryValue, Invoke-GPUpdate, gpupdate /force).
Indicators of Compromise (IoCs):
- Unusual or unauthorized scripts added to startup or logon scripts within GPOs.
- Unexpected registry modifications enforced by GPO settings (e.g., disabling Windows Defender or firewall).
- New GPOs created and linked to sensitive OUs or domain objects without authorization or proper documentation.
Anomalous Behavior Detection:
- Behavioral analytics tools that detect anomalous administrator activities, such as unusual logins or sudden mass modifications of GPOs.

Why it is Important to Detect This Technique

Early detection of Group Policy Modification is crucial due to the significant potential impacts on enterprise security posture:

Persistence and Long-Term Access:
- Attackers leveraging GPOs gain persistent access, making remediation difficult and costly.
Rapid Malware Propagation:
- Malicious GPOs can quickly propagate malware or ransomware across large numbers of domain-joined endpoints simultaneously.
Security Control Subversion:
- Disabling or degrading security controls through GPO modifications severely weakens the organization's defensive measures, allowing attackers to escalate privileges, move laterally, and extract sensitive data.
Operational Disruption and Damage:
- Unauthorized modifications can disrupt critical services, degrade system performance, or lead to extensive downtime and financial losses.
Compliance and Regulatory Issues:
- Failure to identify and remediate unauthorized GPO modifications can lead to compliance violations, regulatory penalties, and loss of customer trust.

Examples

Real-world examples demonstrating the use of Group Policy Modification include:

Ryuk Ransomware Attacks:
- Attackers behind Ryuk ransomware leveraged compromised Domain Administrator credentials to modify GPOs, disabling antivirus and security controls across multiple endpoints, allowing rapid ransomware deployment.
APT29 (Cozy Bear) Operations:
- APT29 has leveraged Group Policy Objects for persistent access and defense evasion, embedding malicious scripts within GPO logon scripts to maintain long-term presence in targeted networks.
NotPetya Malware Incident:
- NotPetya malware leveraged compromised domain credentials to modify GPOs, propagating malware rapidly across affected organizations by deploying malicious files and scripts via Group Policy.
FIN6 Financial Sector Attacks:
- FIN6 attackers have been known to modify GPO settings to disable endpoint security tools, facilitating credential theft and lateral movement within financial institutions.
TrickBot and Emotet Malware Campaigns:
- TrickBot and Emotet malware operators have used Group Policy Modification to disable security tools and propagate malware across infected networks, significantly increasing attack impact and complicating remediation efforts.

In these scenarios, attackers commonly utilized standard Windows administrative tools (PowerShell, GPMC) alongside credential theft techniques (Mimikatz, BloodHound) to gain sufficient privileges and execute malicious GPO modifications, resulting in widespread disruption, data loss, and extensive remediation efforts.

Last updated 1 month ago

Introduction

Deep Dive Into Technique

Technical details and execution methods include:

GPO Modification:

Attackers may edit existing GPO settings to weaken security policies, disable endpoint protection tools, or configure malicious scripts.
Common targets include:
- Security settings (e.g., disabling firewall, antivirus, or Windows Defender).
- Startup or logon scripts that execute malicious payloads.
- Registry settings that lower security posture or grant additional privileges.

Creation of Malicious GPOs:

Adversaries may create entirely new GPOs to avoid detection and apply malicious configurations selectively to specific user groups or machines.
Attackers may link malicious GPOs at various Active Directory levels (site, domain, organizational unit) to maximize coverage and impact.

Propagation and Enforcement:

Once modified or created, GPOs are automatically propagated to domain-joined systems through periodic Group Policy refreshes (default interval: approximately every 90–120 minutes).
Attackers can force immediate policy updates using tools like gpupdate or PowerShell commands, accelerating malicious policy enforcement.

Common Tools and Methods:

Native Windows management tools such as Group Policy Management Console (GPMC) or PowerShell cmdlets (New-GPO, Set-GPRegistryValue, Invoke-GPUpdate).
Third-party attack frameworks and tools such as PowerSploit, Empire, Mimikatz, and BloodHound to identify and exploit Group Policy vulnerabilities.

When this Technique is Usually Used

Group Policy Modification typically appears in the following attack scenarios and stages:

Persistence:

Attackers establish persistent footholds by embedding malicious scripts or registry keys within GPOs, ensuring automatic execution upon system startup or user logon.

Privilege Escalation:

Modifying GPO settings can grant attackers higher privileges or disable security controls, facilitating further lateral movement and privilege escalation.

Defense Evasion and Credential Access:

Attackers disable security tools (antivirus, firewall, logging) through GPO modification to avoid detection and facilitate credential harvesting.

Impact and Disruption:

Attackers leverage malicious GPOs to disrupt operations, degrade system integrity, or deploy ransomware payloads across multiple endpoints simultaneously.

How this Technique is Usually Detected

Detection methods and indicators of compromise (IoCs) include:

Monitoring GPO Changes:

Regular monitoring and auditing of Group Policy Object changes via built-in Windows auditing mechanisms (Event Logs: Event IDs 5136, 5137, 5141).
Use of specialized tools like Microsoft Advanced Threat Analytics (ATA), Microsoft Defender for Identity, or third-party SIEM solutions (Splunk, Elastic Security, IBM QRadar) to detect suspicious GPO modifications.

Baseline Comparisons:

Maintaining baseline configurations and regularly comparing current GPO states to known-good baselines can highlight unauthorized changes.

PowerShell and Command-Line Auditing:

Monitoring command-line executions and PowerShell activities related to Group Policy administration (New-GPO, Set-GPRegistryValue, Invoke-GPUpdate, gpupdate /force).

Indicators of Compromise (IoCs):

Unusual or unauthorized scripts added to startup or logon scripts within GPOs.
Unexpected registry modifications enforced by GPO settings (e.g., disabling Windows Defender or firewall).
New GPOs created and linked to sensitive OUs or domain objects without authorization or proper documentation.

Anomalous Behavior Detection:

Behavioral analytics tools that detect anomalous administrator activities, such as unusual logins or sudden mass modifications of GPOs.

Why it is Important to Detect This Technique

Early detection of Group Policy Modification is crucial due to the significant potential impacts on enterprise security posture:

Persistence and Long-Term Access:

Attackers leveraging GPOs gain persistent access, making remediation difficult and costly.

Rapid Malware Propagation:

Malicious GPOs can quickly propagate malware or ransomware across large numbers of domain-joined endpoints simultaneously.

Security Control Subversion:

Disabling or degrading security controls through GPO modifications severely weakens the organization's defensive measures, allowing attackers to escalate privileges, move laterally, and extract sensitive data.

Operational Disruption and Damage:

Unauthorized modifications can disrupt critical services, degrade system performance, or lead to extensive downtime and financial losses.

Compliance and Regulatory Issues:

Failure to identify and remediate unauthorized GPO modifications can lead to compliance violations, regulatory penalties, and loss of customer trust.

Examples

Real-world examples demonstrating the use of Group Policy Modification include:

Ryuk Ransomware Attacks:

Attackers behind Ryuk ransomware leveraged compromised Domain Administrator credentials to modify GPOs, disabling antivirus and security controls across multiple endpoints, allowing rapid ransomware deployment.

APT29 (Cozy Bear) Operations:

APT29 has leveraged Group Policy Objects for persistent access and defense evasion, embedding malicious scripts within GPO logon scripts to maintain long-term presence in targeted networks.

NotPetya Malware Incident:

NotPetya malware leveraged compromised domain credentials to modify GPOs, propagating malware rapidly across affected organizations by deploying malicious files and scripts via Group Policy.

FIN6 Financial Sector Attacks:

FIN6 attackers have been known to modify GPO settings to disable endpoint security tools, facilitating credential theft and lateral movement within financial institutions.

TrickBot and Emotet Malware Campaigns:

TrickBot and Emotet malware operators have used Group Policy Modification to disable security tools and propagate malware across infected networks, significantly increasing attack impact and complicating remediation efforts.