Group Policy Discovery via Microsoft GPResult Utility

edit

Group Policy Discovery via Microsoft GPResult Utility

edit

Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*
  • endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Discovery
  • Elastic Endgame

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where event.type == "start" and
(process.name: "gpresult.exe" or process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x")

Framework: MITRE ATT&CKTM