IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« System Information Discovery via Windows Command Shell Windows Network Enumeration »

› ›

Group Policy Discovery via Microsoft GPResult Utility

edit

Group Policy Discovery via Microsoft GPResult Utility

edit

Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*
endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Elastic
Host
Windows
Threat Detection
Discovery
Elastic Endgame

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where host.os.type == "windows" and event.type == "start" and
(process.name: "gpresult.exe" or process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Group Policy Discovery
- ID: T1615
- Reference URL: https://attack.mitre.org/techniques/T1615/

« System Information Discovery via Windows Command Shell Windows Network Enumeration »