T1615 Group Policy Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousGPOPSFunctions = dynamic([
    "Get-DomainGPO", "Get-DomainGPOLocalGroup", "Get-DomainGPOComputerLocalGroupMapping",
    "Get-DomainGPOUserLocalGroupMapping", "Get-NetGPO", "Get-GPO",
    "Get-GPResultantSetOfPolicy", "Get-GPOReport", "Find-GPOLocation",
    "Find-GPOComputerAdmin"
]);
let LegitParents = dynamic(["mmc.exe", "gpedit.msc", "gpmc.msc", "msiexec.exe", "sccmexec.exe", "ccmexec.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where (
    // Direct gpresult enumeration outside standard admin parent processes
    (FileName =~ "gpresult.exe"
        and not(InitiatingProcessFileName has_any (LegitParents))
        and AccountName !endswith "$"
    )
    // PowerShell GPO enumeration via PowerView, Empire, or RSAT
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any (SuspiciousGPOPSFunctions)
    )
    // WMIC-based GPO queries
    or (FileName =~ "wmic.exe"
        and ProcessCommandLine has_any ("gpo", "grouppolicy")
    )
    // net.exe querying GPO-related groups
    or (FileName =~ "net.exe"
        and ProcessCommandLine matches regex @"(?i)(group\s*policy|gpo)"
    )
)
| extend AccountUpn = strcat(AccountDomain, "\\", AccountName)
| project
    TimeGenerated,
    DeviceName,
    AccountUpn,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    FolderPath
| order by TimeGenerated desc

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running gpresult.exe manually or via scripts for compliance auditing and troubleshooting Group Policy application failures
SCCM/Intune client management processes (ccmexec.exe, msiexec.exe) invoking gpresult.exe during client health checks or software deployments
Security and compliance tooling (e.g., Tenable, Rapid7, CrowdStrike Spotlight) using PowerShell GPO cmdlets during scheduled configuration assessment scans
Help desk personnel using GPMC or RSAT tools to diagnose user/computer policy application issues
Automated GPO compliance checks performed by domain management scripts run from privileged service accounts

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval process_lower=lower(Image)
| eval cmdline_lower=lower(CommandLine)
| eval parent_lower=lower(ParentImage)
| where (
    (
        match(process_lower, "gpresult\.exe")
        AND NOT match(parent_lower, "(?i)(mmc|gpedit|gpmc|msiexec|ccmexec|sccmexec)")
        AND NOT match(User, "(?i)\\$$")
    )
    OR (
        match(process_lower, "(powershell|pwsh)\.exe")
        AND match(cmdline_lower, "(get-domaingpo|get-netgpo|get-gpo|get-gpresultantsetofpolicy|get-gporeport|find-gpolocation|find-gpocomputeradmin|domaingpolocalgroup|domaingpouserlocal)")
    )
    OR (
        match(process_lower, "wmic\.exe")
        AND match(cmdline_lower, "(gpo|grouppolicy)")
    )
)
| eval detection_type=case(
    match(process_lower, "gpresult\.exe"), "gpresult_execution",
    match(process_lower, "(powershell|pwsh)\.exe"), "powershell_gpo_enumeration",
    match(process_lower, "wmic\.exe"), "wmic_gpo_query",
    true(), "unknown"
)
| table _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, detection_type
| sort - _time

medium severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Administrators using gpresult.exe from command prompt or PowerShell sessions for troubleshooting GPO application failures
Security baselines and audit scripts leveraging Get-GPO or Get-GPResultantSetOfPolicy via scheduled tasks running under service accounts
Group Policy management consoles (GPMC, RSAT) that spawn gpresult.exe as a subprocess during GPO modeling or reporting operations
Red team assessments and authorized penetration tests using PowerView or BloodHound for AD enumeration
IT automation platforms (Ansible, Chef, Puppet) using PowerShell to validate GPO application state on managed endpoints

Elastic Security (EQL)

eql

process where process.name : ("gpresult.exe", "powershell.exe") and (process.args : ("/r", "/v", "/h", "/z", "/scope", "computer", "user") or process.command_line : ("*Get-GPO*", "*Get-GPOReport*", "*Get-GPPermissions*")) and process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")

medium severity medium confidence

Data Sources

Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-*

False Positives

IT administrators running gpresult.exe manually or via scripts for compliance auditing and troubleshooting Group Policy application failures
SCCM/Intune client management processes (ccmexec.exe, msiexec.exe) invoking gpresult.exe during client health checks or software deployments
Security and compliance tooling (e.g., Tenable, Rapid7, CrowdStrike Spotlight) using PowerShell GPO cmdlets during scheduled configuration assessment scans
Help desk personnel using GPMC or RSAT tools to diagnose user/computer policy application issues
Automated GPO compliance checks performed by domain management scripts run from privileged service accounts

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%gpresult%' AND ("CommandLine" ILIKE '%/r%' OR "CommandLine" ILIKE '%/v%') THEN 65 WHEN "CommandLine" ILIKE '%Get-GPO%' OR "CommandLine" ILIKE '%Get-GPOReport%' THEN 70 ELSE 45 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%gpresult%' OR "CommandLine" ILIKE '%Get-GPO%' OR "CommandLine" ILIKE '%GroupPolicy%') ORDER BY "RiskScore" DESC LAST 24 HOURS

medium severity medium confidence

Data Sources

Windows Security Event Log

Required Tables

events

False Positives

IT administrators running gpresult.exe manually or via scripts for compliance auditing and troubleshooting Group Policy application failures
SCCM/Intune client management processes (ccmexec.exe, msiexec.exe) invoking gpresult.exe during client health checks or software deployments
Security and compliance tooling (e.g., Tenable, Rapid7, CrowdStrike Spotlight) using PowerShell GPO cmdlets during scheduled configuration assessment scans
Help desk personnel using GPMC or RSAT tools to diagnose user/computer policy application issues
Automated GPO compliance checks performed by domain management scripts run from privileged service accounts

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows | json auto | where process_name = "gpresult.exe" or (process_name = "powershell.exe" and (command_line matches "*Get-GPO*" or command_line matches "*Get-GPOReport*")) | if(matches(parent_process, "*powershell*") or matches(parent_process, "*cmd*"), "Medium", "Low") as RiskLevel | stats count by user_name, process_name, command_line, host_name, RiskLevel | sort by count desc

medium severity medium confidence

Data Sources

Windows Endpoint Events

Required Tables

endpoint/windows

False Positives

IT administrators running gpresult.exe manually or via scripts for compliance auditing and troubleshooting Group Policy application failures
SCCM/Intune client management processes (ccmexec.exe, msiexec.exe) invoking gpresult.exe during client health checks or software deployments
Security and compliance tooling (e.g., Tenable, Rapid7, CrowdStrike Spotlight) using PowerShell GPO cmdlets during scheduled configuration assessment scans
Help desk personnel using GPMC or RSAT tools to diagnose user/computer policy application issues
Automated GPO compliance checks performed by domain management scripts run from privileged service accounts

Google Chronicle / SecOps

yaral

rule detect_group_policy_discovery {
  meta:
    author = "Argus"
    description = "Detects Group Policy enumeration activities"
    severity = "MEDIUM"
    technique = "T1615"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `gpresult\.exe`) nocase or
      re.regex($e.target.process.command_line, `Get-GPO|Get-GPOReport|Get-GPPermission|gpresult`) nocase
    )
    not $e.principal.user.windows_sid = "S-1-5-18"
  condition:
    $e
}

medium severity medium confidence

Data Sources

Endpoint Telemetry

Required Tables

PROCESS_LAUNCH

False Positives

IT administrators running gpresult.exe manually or via scripts for compliance auditing and troubleshooting Group Policy application failures
SCCM/Intune client management processes (ccmexec.exe, msiexec.exe) invoking gpresult.exe during client health checks or software deployments
Security and compliance tooling (e.g., Tenable, Rapid7, CrowdStrike Spotlight) using PowerShell GPO cmdlets during scheduled configuration assessment scans
Help desk personnel using GPMC or RSAT tools to diagnose user/computer policy application issues
Automated GPO compliance checks performed by domain management scripts run from privileged service accounts

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /gpresult\.exe/i OR (ImageFileName = /powershell/i AND CommandHistory = /Get-GPO|Get-GPOReport|Get-GPPermission/i)
| case {
    CommandHistory = /Get-GPOReport/i | DiscoveryType := "GPO Full Report";
    CommandHistory = /Get-GPO|Get-GPPermission/i | DiscoveryType := "GPO Enumeration";
    ImageFileName = /gpresult/i | DiscoveryType := "GPResult Query";
    * | DiscoveryType := "GP Discovery"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, DiscoveryType])

medium severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

IT administrators running gpresult.exe manually or via scripts for compliance auditing and troubleshooting Group Policy application failures
SCCM/Intune client management processes (ccmexec.exe, msiexec.exe) invoking gpresult.exe during client health checks or software deployments
Security and compliance tooling (e.g., Tenable, Rapid7, CrowdStrike Spotlight) using PowerShell GPO cmdlets during scheduled configuration assessment scans
Help desk personnel using GPMC or RSAT tools to diagnose user/computer policy application issues
Automated GPO compliance checks performed by domain management scripts run from privileged service accounts

Group Policy Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections