Hello
I have auditing of GPO changes turned on. While we have password complexity enabled, while being audited it was found to be disabled.
After searching the logs from the GPO modified date, we found that it was the SYSTEM that made the changes. Leaving 2 entries. one for value deleted and one for value added.
This happened one year ago and i thought maybe a team member changed it but they all denied this. So i turned on the auditing and one year later i see the same but now with some evidence.
{"timestamp":"2023-04-19T08:48:24.000Z","hostname":"XXXXX-DC02.xxxxx.int","event_code":"5136","description":"A directory service object was modified.","subject_user_sid":"S-1-5-18","subject_user_name":"SYSTEM","subject_domain_name":"NT AUTHORITY","subject_logon_id":"0x140F99821","ds_name":"akigroup.int","ds_type":"Active Directory Domain Services","object_dn":"CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=xxxxxxx,DC=int","object_guid":"{b3e150ae-0756-4e1d-b6e6-6161742c686b}","object_class":"groupPolicyContainer","attribute_ldap_display_name":"versionNumber","attribute_syntax_oid":"2.5.5.9","attribute_value":"1704322","operation_type":"Value Deleted","op_correlation_id":"{7ce28b12-4e95-4aaa-9001-bcb8f34edc0f}","app_correlation_id":"","source_data":"<14>Apr 19 12:48:24 XXXXXX-DC02.xxxxx.int MSWinEventLog\t1\tSecurity\t26311529\tWed Apr 19 12:48:24 2023\t5136\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tXXXXXXX.XXXXX.int\tDirectory Service Changes\t\tA directory service object was modified. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x140F99821 Directory Service: Name: xxxxx.int Type: Active Directory Domain Services Object: DN: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=xxxxxxx,DC=int GUID: {b3e150ae-0756-4e1d-b6e6-6161742c686b} Class: groupPolicyContainer Attribute: LDAP Display Name: versionNumber Syntax (OID): 2.5.5.9 Value: 1704322 Operation: Type: Value Deleted Correlation ID: {7ce28b12-4e95-4aaa-9001-bcb8f34edc0f} Application Correlation ID: -\t942257166"}