IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Group Policy Abuse for Privilege Addition Halfbaked Command and Control Beacon »

› › ›

Group Policy Discovery via Microsoft GPResult Utility

edit

Group Policy Discovery via Microsoft GPResult Utility

edit

Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*
endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Data Source: Elastic Defend

Version: 4

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where host.os.type == "windows" and event.type == "start" and
(process.name: "gpresult.exe" or process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Group Policy Discovery
- ID: T1615
- Reference URL: https://attack.mitre.org/techniques/T1615/

« Group Policy Abuse for Privilege Addition Halfbaked Command and Control Beacon »