This rule is designed to detect modifications to the Default Domain and Default Domain Controller Group Policy Objects (GPOs) within a Windows domain environment. Adversaries often target these GPOs to alter security settings and deploy harmful configurations that can facilitate further attacks or enhance their control over the network. The rule triggers on specific Active Directory events indicated by EventID 5136, indicating changes to group policy containers. The detection relies on proper auditing being enabled for directory service changes and appropriate SACL configurations to capture modifications effectively. This vigilance is crucial for maintaining the integrity of security policies embedded within GPOs, as any unauthorized changes can significantly compromise an organization's security posture. Given the nature of potential attacks leveraging GPO modifications, this rule is classified with a medium-level alert for incidents that warrant further investigation.