Home/Sigma rules
Sigma

Sigma detection rules

6 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

6 shown of 6
medium
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
status test author Elastic, Josh Nickels, Marius Rothenbücher id 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
view Sigma YAML 
title: Group Policy Abuse for Privilege Addition
id: 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
status: test
description: |
    Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
author: Elastic, Josh Nickels, Marius Rothenbücher
references:
    - https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275
date: 2024-09-04
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    product: windows
    service: security
    definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events.'
detection:
    selection:
        EventID: 5136
        AttributeLDAPDisplayName: 'gPCMachineExtensionNames'
        AttributeValue|contains:
            - '827D319E-6EAC-11D2-A4EA-00C04F79F83A'
            - '803E14A0-B4FB-11D0-A0D0-00A0C90F574B'
    condition: selection
falsepositives:
    - Users allowed to perform these modifications (user found in field SubjectUserName)
level: medium
medium
Modify Group Policy Settings
Detect malicious GPO modifications can be used to implement many other malicious behaviors.
status test author frack113 id ada4b0c4-758b-46ac-9033-9004613a150d
view Sigma YAML 
title: Modify Group Policy Settings
id: ada4b0c4-758b-46ac-9033-9004613a150d
related:
    - id: b7216a7d-687e-4c8d-82b1-3080b2ad961f
      type: similar
status: test
description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
author: frack113
date: 2022-08-19
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_path:
        CommandLine|contains: '\SOFTWARE\Policies\Microsoft\Windows\System'
    selection_key:
        CommandLine|contains:
            - GroupPolicyRefreshTimeDC
            - GroupPolicyRefreshTimeOffsetDC
            - GroupPolicyRefreshTime
            - GroupPolicyRefreshTimeOffset
            - EnableSmartScreen
            - ShellSmartScreenLevel
    condition: all of selection_*
falsepositives:
    - Legitimate use
level: medium
medium
Modify Group Policy Settings - ScriptBlockLogging
Detect malicious GPO modifications can be used to implement many other malicious behaviors.
status test author frack113 id b7216a7d-687e-4c8d-82b1-3080b2ad961f
view Sigma YAML 
title: Modify Group Policy Settings - ScriptBlockLogging
id: b7216a7d-687e-4c8d-82b1-3080b2ad961f
related:
    - id: ada4b0c4-758b-46ac-9033-9004613a150d
      type: similar
status: test
description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
author: frack113
date: 2022-08-19
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_path:
        ScriptBlockText|contains: \SOFTWARE\Policies\Microsoft\Windows\System
    selection_key:
        ScriptBlockText|contains:
            - GroupPolicyRefreshTimeDC
            - GroupPolicyRefreshTimeOffsetDC
            - GroupPolicyRefreshTime
            - GroupPolicyRefreshTimeOffset
            - EnableSmartScreen
            - ShellSmartScreenLevel
    condition: all of selection_*
falsepositives:
    - Legitimate use
level: medium
medium
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
status test author Elastic, Josh Nickels, Marius Rothenbücher id 123e4e6d-b123-48f8-b261-7214938acaf0
view Sigma YAML 
title: Startup/Logon Script Added to Group Policy Object
id: 123e4e6d-b123-48f8-b261-7214938acaf0
status: test
description: |
    Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
references:
    - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
author: Elastic, Josh Nickels, Marius Rothenbücher
date: 2024-09-06
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
    - attack.t1547
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection_eventid:
        EventID:
            - 5136
            - 5145
    selection_attributes_main:
        AttributeLDAPDisplayName:
            - 'gPCMachineExtensionNames'
            - 'gPCUserExtensionNames'
        AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
    selection_attributes_optional:
        AttributeValue|contains:
            - '40B6664F-4972-11D1-A7CA-0000F87571E3'
            - '40B66650-4972-11D1-A7CA-0000F87571E3'
    selection_share:
        ShareName|endswith: '\SYSVOL'
        RelativeTargetName|endswith:
            - '\scripts.ini'
            - '\psscripts.ini'
        AccessList|contains: '%%4417'
    condition: selection_eventid and (all of selection_attributes_* or selection_share)
falsepositives:
    - Legitimate execution by system administrators.
level: medium
medium
Windows Default Domain GPO Modification
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id e5ac86dd-2da1-454b-be74-05d26c769d7d
view Sigma YAML 
title: Windows Default Domain GPO Modification
id: e5ac86dd-2da1-454b-be74-05d26c769d7d
related:
    - id: dcff7e85-d01f-4eb5-badd-84e2e6be8294
      type: similar
status: experimental
description: |
    Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
    Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
references:
    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
    - https://adsecurity.org/?p=3377
    - https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
    - https://jgspiers.com/audit-group-policy-changes/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-22
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    product: windows
    service: security
    definition: |
        Enable 'Audit Directory Service Changes' in the Default Domain Controllers Policy under:
        Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> DS Access -> Audit Directory Service Changes (Success).
        Additionally, proper SACL needs to be configured on the 'CN=Policies,CN=System,DC=<domain>,DC=<tld>' container in Active Directory to capture changes to Group Policy Objects.
detection:
    selection:
        EventID: 5136
        ObjectClass: 'groupPolicyContainer'
        ObjectDN|startswith:
            - 'CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Policy
            - 'CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Controllers Policy
    condition: selection
falsepositives:
    - Legitimate modifications to Default Domain or Default Domain Controllers GPOs
level: medium
medium
Windows Default Domain GPO Modification via GPME
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
status experimental author TropChaud id dcff7e85-d01f-4eb5-badd-84e2e6be8294
view Sigma YAML 
title: Windows Default Domain GPO Modification via GPME
id: dcff7e85-d01f-4eb5-badd-84e2e6be8294
related:
    - id: e5ac86dd-2da1-454b-be74-05d26c769d7d
      type: similar
status: experimental
description: |
    Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
    Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
references:
    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
    - https://adsecurity.org/?p=3377
    - https://sdmsoftware.com/general-stuff/launching-the-new-gp-management-editor-from-the-command-line/
    - https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
author: TropChaud
date: 2025-11-22
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    product: windows
    category: process_creation
detection:
    # "C:\Windows\System32\gpme.msc" /s /gpobject:"LDAP://<REDACTED>/cn<REDACTED>,cnpolicies,cnsystem,DC<REDACTED>,DClocal"
    selection_mmc:
        - Image|endswith: '\mmc.exe'
        - OriginalFileName: 'MMC.exe'
    selection_gpme:
        CommandLine|contains|all:
            - 'gpme.msc'
            - 'gpobject:'
    selection_default_gpos:
        CommandLine|contains:
            - '31B2F340-016D-11D2-945F-00C04FB984F9' # Default Domain Policy GUID
            - '6AC1786C-016F-11D2-945F-00C04FB984F9' # Default Domain Controllers Policy GUID
    condition: all of selection_*
falsepositives:
    - Legitimate use of GPME to modify GPOs
level: medium
Showing 1-6 of 6
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin