T1615 Microsoft Sentinel · KQL

Detect Group Policy Discovery in Microsoft Sentinel

This detection identifies adversary attempts to enumerate Group Policy Objects (GPOs) and Group Policy settings within an Active Directory environment. Attackers use tools such as gpresult.exe, PowerShell cmdlets (Get-DomainGPO, Get-DomainGPOLocalGroup, Get-GPO), and frameworks like PowerView and BloodHound to discover GPO configurations that reveal privilege escalation paths, security control gaps, and domain trust relationships. Detected activity includes direct invocation of gpresult.exe outside of normal administrative contexts, PowerShell-based GPO enumeration via PowerView or RSAT cmdlets, and LDAP queries targeting GPO-related LDAP attributes. Correlating these patterns with post-discovery activity such as lateral movement or GPO modification attempts allows analysts to identify reconnaissance phases of domain-targeted attacks.

MITRE ATT&CK

Tactic
Discovery
Technique
T1615 Group Policy Discovery
Canonical reference
https://attack.mitre.org/techniques/T1615/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousGPOPSFunctions = dynamic([
    "Get-DomainGPO", "Get-DomainGPOLocalGroup", "Get-DomainGPOComputerLocalGroupMapping",
    "Get-DomainGPOUserLocalGroupMapping", "Get-NetGPO", "Get-GPO",
    "Get-GPResultantSetOfPolicy", "Get-GPOReport", "Find-GPOLocation",
    "Find-GPOComputerAdmin"
]);
let LegitParents = dynamic(["mmc.exe", "gpedit.msc", "gpmc.msc", "msiexec.exe", "sccmexec.exe", "ccmexec.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where (
    // Direct gpresult enumeration outside standard admin parent processes
    (FileName =~ "gpresult.exe"
        and not(InitiatingProcessFileName has_any (LegitParents))
        and AccountName !endswith "$"
    )
    // PowerShell GPO enumeration via PowerView, Empire, or RSAT
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any (SuspiciousGPOPSFunctions)
    )
    // WMIC-based GPO queries
    or (FileName =~ "wmic.exe"
        and ProcessCommandLine has_any ("gpo", "grouppolicy")
    )
    // net.exe querying GPO-related groups
    or (FileName =~ "net.exe"
        and ProcessCommandLine matches regex @"(?i)(group\s*policy|gpo)"
    )
)
| extend AccountUpn = strcat(AccountDomain, "\\", AccountName)
| project
    TimeGenerated,
    DeviceName,
    AccountUpn,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    FolderPath
| order by TimeGenerated desc
medium severity medium confidence

Detects Group Policy Discovery activity via gpresult.exe invocations outside standard admin tooling parents, PowerShell use of PowerView and RSAT GPO enumeration functions (Get-DomainGPO, Get-GPO, Get-GPResultantSetOfPolicy, etc.), WMIC queries targeting group policy, and net.exe GPO-related queries. Filters machine accounts and known legitimate parent processes to reduce noise.

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • IT administrators running gpresult.exe manually or via scripts for compliance auditing and troubleshooting Group Policy application failures
  • SCCM/Intune client management processes (ccmexec.exe, msiexec.exe) invoking gpresult.exe during client health checks or software deployments
  • Security and compliance tooling (e.g., Tenable, Rapid7, CrowdStrike Spotlight) using PowerShell GPO cmdlets during scheduled configuration assessment scans
  • Help desk personnel using GPMC or RSAT tools to diagnose user/computer policy application issues
  • Automated GPO compliance checks performed by domain management scripts run from privileged service accounts
Download portable Sigma rule (.yml)

Other platforms for T1615

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1GPO Enumeration via gpresult.exe

    Expected signal: Sysmon EventCode=1: Image=gpresult.exe with CommandLine containing /z and /scope. Security EventID=4688 if process creation auditing enabled with command line logging. File creation event for C:\Temp\gpo_computer.txt (Sysmon EventCode=11).

  2. Test 2GPO Enumeration via PowerView Get-DomainGPO

    Expected signal: Sysmon EventCode=1: powershell.exe with CommandLine containing Get-DomainGPO. PowerShell Script Block Logging (EventID 4104) capturing the full IEX expression and Get-DomainGPO function body. Sysmon EventCode=3 for LDAP connections to domain controllers (port 389) from powershell.exe.

  3. Test 3GPO Enumeration via RSAT Get-GPO PowerShell Cmdlet

    Expected signal: Sysmon EventCode=1: powershell.exe with CommandLine containing 'Get-GPO' and 'Get-GPResultantSetOfPolicy'. PowerShell EventID 4103/4104 capturing module import of GroupPolicy and cmdlet invocations. Sysmon EventCode=11 for HTML report file creation at C:\Temp\rsop_report.html. LDAP traffic to domain controllers for GPO object queries.

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1615 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1484Domain or Tenant Policy ModificationT1069Permission Groups DiscoveryT1069.002Domain GroupsT1087.002Domain AccountT1482Domain Trust DiscoveryT1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1059.001PowerShell

Same Tactic: Discovery

Popular Detections