T1615 IBM QRadar · QRadar

Detect Group Policy Discovery in IBM QRadar

This detection identifies adversary attempts to enumerate Group Policy Objects (GPOs) and Group Policy settings within an Active Directory environment. Attackers use tools such as gpresult.exe, PowerShell cmdlets (Get-DomainGPO, Get-DomainGPOLocalGroup, Get-GPO), and frameworks like PowerView and BloodHound to discover GPO configurations that reveal privilege escalation paths, security control gaps, and domain trust relationships. Detected activity includes direct invocation of gpresult.exe outside of normal administrative contexts, PowerShell-based GPO enumeration via PowerView or RSAT cmdlets, and LDAP queries targeting GPO-related LDAP attributes. Correlating these patterns with post-discovery activity such as lateral movement or GPO modification attempts allows analysts to identify reconnaissance phases of domain-targeted attacks.

MITRE ATT&CK

Tactic
Discovery
Technique
T1615 Group Policy Discovery
Canonical reference
https://attack.mitre.org/techniques/T1615/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%gpresult%' AND ("CommandLine" ILIKE '%/r%' OR "CommandLine" ILIKE '%/v%') THEN 65 WHEN "CommandLine" ILIKE '%Get-GPO%' OR "CommandLine" ILIKE '%Get-GPOReport%' THEN 70 ELSE 45 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%gpresult%' OR "CommandLine" ILIKE '%Get-GPO%' OR "CommandLine" ILIKE '%GroupPolicy%') ORDER BY "RiskScore" DESC LAST 24 HOURS
medium severity medium confidence

IBM QRadar AQL translation of the T1615 detection. Uses SQL-like syntax with risk scoring. Detects Group Policy Discovery activity via gpresult.exe invocations outside standard admin tooling

Data Sources

Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • IT administrators running gpresult.exe manually or via scripts for compliance auditing and troubleshooting Group Policy application failures
  • SCCM/Intune client management processes (ccmexec.exe, msiexec.exe) invoking gpresult.exe during client health checks or software deployments
  • Security and compliance tooling (e.g., Tenable, Rapid7, CrowdStrike Spotlight) using PowerShell GPO cmdlets during scheduled configuration assessment scans
  • Help desk personnel using GPMC or RSAT tools to diagnose user/computer policy application issues
  • Automated GPO compliance checks performed by domain management scripts run from privileged service accounts
Download portable Sigma rule (.yml)

Other platforms for T1615

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1GPO Enumeration via gpresult.exe

    Expected signal: Sysmon EventCode=1: Image=gpresult.exe with CommandLine containing /z and /scope. Security EventID=4688 if process creation auditing enabled with command line logging. File creation event for C:\Temp\gpo_computer.txt (Sysmon EventCode=11).

  2. Test 2GPO Enumeration via PowerView Get-DomainGPO

    Expected signal: Sysmon EventCode=1: powershell.exe with CommandLine containing Get-DomainGPO. PowerShell Script Block Logging (EventID 4104) capturing the full IEX expression and Get-DomainGPO function body. Sysmon EventCode=3 for LDAP connections to domain controllers (port 389) from powershell.exe.

  3. Test 3GPO Enumeration via RSAT Get-GPO PowerShell Cmdlet

    Expected signal: Sysmon EventCode=1: powershell.exe with CommandLine containing 'Get-GPO' and 'Get-GPResultantSetOfPolicy'. PowerShell EventID 4103/4104 capturing module import of GroupPolicy and cmdlet invocations. Sysmon EventCode=11 for HTML report file creation at C:\Temp\rsop_report.html. LDAP traffic to domain controllers for GPO object queries.

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1615 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1484Domain or Tenant Policy ModificationT1069Permission Groups DiscoveryT1069.002Domain GroupsT1087.002Domain AccountT1482Domain Trust DiscoveryT1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1059.001PowerShell

Same Tactic: Discovery

Popular Detections