This rule detects unauthorized modifications to the Default Domain and Default Domain Controllers Group Policy Objects (GPOs) using the Group Policy Management Editor (GPME) in a Windows environment. Adversaries often exploit GPME to stealthily alter these critical GPOs for deploying malicious configurations across an organization's Active Directory domain without triggering alarms. The detection works by monitoring process creation events for specific indicators associated with the GPME tool, tracking the presence of certain command-line parameters and executable paths that are indicative of GPO modifications. The rule identifies conditions under which the process is deemed malicious, such as the execution of MMC (Microsoft Management Console) commands related to GPME along with specific GUIDs representing the default GPOs. Given that legitimate administrators may also utilize GPME for valid reasons, there is a chance for false positives, which should be carefully evaluated to ensure that genuine administrative actions are not erroneously flagged as malicious.