This analytic detects unauthorized modifications made to the default Group Policy Objects (GPOs) within an Active Directory (AD) environment, specifically targeting the "Default Domain Policy" and the "Default Domain Controllers Policy". Utilizing Splunk's Admon, the rule monitors events labeled as updates to these GPOs, as such changes may signify actions taken by privileged users or potential attackers trying to establish control, persistence, or deploy malware across domain-joined hosts. Unauthorized modifications can lead to cascading effects on policy enforcement, granting unauthorized access across systems, and compromising the security posture of the entire domain. Organizations leveraging this rule should monitor and investigate any flagged modifications promptly to avoid risk escalation and potential breaches.