AN0854: Analytic 0854

Adversary modifies GPO containers or files under SYSVOL using LDAP, ADSI, PowerShell (e.g., New-GPOImmediateTask) or GUI tools. This includes directory object changes (e.g., gPCFileSysPath), delegation assignments (SeEnableDelegationPrivilege), and SYSVOL file writes (ScheduledTasks.xml, GptTmpl.inf).

EnterpriseAN0854AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

AN0854 describes monitoring for changes to Windows Group Policy Objects and related SYSVOL files. This matters because GPOs can centrally change configuration across many domain-joined systems, so unauthorized or poorly governed changes can affect identity controls, endpoint behavior, administrative access, and operational continuity at scale.

Executive priority

Treat GPO change visibility as an Active Directory resilience and audit priority. Leaders should ask whether the organization can prove who changed GPO containers, delegation settings, or SYSVOL policy files, when the change occurred, and which systems could be affected. The business value is not just detecting one event; it is preserving confidence in centralized Windows control mechanisms during incident response, compliance reviews, and recovery decisions.

Technical view

For Windows environments, validate monitoring around directory object changes to GPO containers and writes under SYSVOL. The supplied object specifically references changes through LDAP, ADSI, PowerShell, or GUI tools, including gPCFileSysPath changes, delegation-related assignments such as SeEnableDelegationPrivilege, and SYSVOL writes such as ScheduledTasks.xml and GptTmpl.inf. Because no official detection logic or relationship context is provided, SOC and detection teams should build coverage around authoritative AD and file-change evidence rather than relying on a single tool-specific event.

Likely telemetry

Active Directory directory service change events for Group Policy container objects
LDAP/ADSI-originated modification evidence where available
PowerShell activity involving GPO administration, including New-GPOImmediateTask where logged
SYSVOL file creation, modification, and write telemetry
File integrity or audit records for policy files such as ScheduledTasks.xml and GptTmpl.inf

Detection direction

Baseline expected GPO administration paths, accounts, and change windows before alerting aggressively.
Correlate GPO container changes with SYSVOL file writes; either alone may be insufficient context.
Prioritize unusual delegation or privilege-related changes affecting who can modify policy.
Account for legitimate GUI, PowerShell, LDAP, and ADSI-based administration to reduce false positives.
Identify blind spots where SYSVOL file auditing, PowerShell logging, or AD object change auditing is not enabled or not centrally retained.

Mitigation priorities

Restrict GPO modification rights to approved administrative roles and review delegation regularly.
Require change management and documented approval for GPO and SYSVOL updates.
Enable and retain auditing for AD object changes and SYSVOL file modifications.
Protect administrative accounts used for Group Policy management with strong identity controls.
Maintain tested recovery procedures for reverting unauthorized or erroneous GPO changes.

Analyst notes and limits

This is a detection analytic object, not a technique entry. The supplied ATT&CK fields provide a clear behavior description and Windows platform scope, but no tactic, analytic logic, data component mapping, or related technique relationships were supplied. Local AD architecture, logging configuration, and GPO administration practices are required to turn this into production detection content.

Official detection guidance is not provided, and no relationships were supplied. This take should not be interpreted as evidence of active exploitation, attribution, impact, or confirmed coverage in any environment.

Official MITRE ATT&CK definition

Analytic 0854

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 2d16f2c26f50c087...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`2d16f2c26f50…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0854
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use