Which SIEM platforms have a T1615 detection rule?

df00tech provides T1615 (Group Policy Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Group Policy Discovery (T1615)?

Detecting Group Policy Discovery requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1615 detection?

The T1615 detection is rated medium severity with medium confidence.

What are common false positives for T1615?

Common false positives for T1615 include: IT administrators running gpresult.exe manually or via scripts for compliance auditing and troubleshooting Group Policy application failures; SCCM/Intune client management processes (ccmexec.exe, msiexec.exe) invoking gpresult.exe during client health checks or software deployments; Security and compliance tooling (e.g., Tenable, Rapid7, CrowdStrike Spotlight) using PowerShell GPO cmdlets during scheduled configuration assessment scans.

T1615 Splunk · SPL

Detect Group Policy Discovery in Splunk

This detection identifies adversary attempts to enumerate Group Policy Objects (GPOs) and Group Policy settings within an Active Directory environment. Attackers use tools such as gpresult.exe, PowerShell cmdlets (Get-DomainGPO, Get-DomainGPOLocalGroup, Get-GPO), and frameworks like PowerView and BloodHound to discover GPO configurations that reveal privilege escalation paths, security control gaps, and domain trust relationships. Detected activity includes direct invocation of gpresult.exe outside of normal administrative contexts, PowerShell-based GPO enumeration via PowerView or RSAT cmdlets, and LDAP queries targeting GPO-related LDAP attributes. Correlating these patterns with post-discovery activity such as lateral movement or GPO modification attempts allows analysts to identify reconnaissance phases of domain-targeted attacks.

MITRE ATT&CK

Tactic: Discovery
Technique: T1615 Group Policy Discovery
Canonical reference: https://attack.mitre.org/techniques/T1615/

SPL Detection Query

Splunk (SPL)

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval process_lower=lower(Image)
| eval cmdline_lower=lower(CommandLine)
| eval parent_lower=lower(ParentImage)
| where (
    (
        match(process_lower, "gpresult\.exe")
        AND NOT match(parent_lower, "(?i)(mmc|gpedit|gpmc|msiexec|ccmexec|sccmexec)")
        AND NOT match(User, "(?i)\\$$")
    )
    OR (
        match(process_lower, "(powershell|pwsh)\.exe")
        AND match(cmdline_lower, "(get-domaingpo|get-netgpo|get-gpo|get-gpresultantsetofpolicy|get-gporeport|find-gpolocation|find-gpocomputeradmin|domaingpolocalgroup|domaingpouserlocal)")
    )
    OR (
        match(process_lower, "wmic\.exe")
        AND match(cmdline_lower, "(gpo|grouppolicy)")
    )
)
| eval detection_type=case(
    match(process_lower, "gpresult\.exe"), "gpresult_execution",
    match(process_lower, "(powershell|pwsh)\.exe"), "powershell_gpo_enumeration",
    match(process_lower, "wmic\.exe"), "wmic_gpo_query",
    true(), "unknown"
)
| table _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, detection_type
| sort - _time

medium severity medium confidence

Detects Group Policy Discovery via Sysmon process creation events (EventCode=1). Identifies gpresult.exe executions not initiated by legitimate admin tools, PowerShell commands using PowerView and RSAT GPO enumeration functions, and WMIC GPO queries. Machine accounts are excluded via the trailing $ pattern check on the User field.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

Administrators using gpresult.exe from command prompt or PowerShell sessions for troubleshooting GPO application failures
Security baselines and audit scripts leveraging Get-GPO or Get-GPResultantSetOfPolicy via scheduled tasks running under service accounts
Group Policy management consoles (GPMC, RSAT) that spawn gpresult.exe as a subprocess during GPO modeling or reporting operations
Red team assessments and authorized penetration tests using PowerView or BloodHound for AD enumeration
IT automation platforms (Ansible, Chef, Puppet) using PowerShell to validate GPO application state on managed endpoints

Download portable Sigma rule (.yml)

Other platforms for T1615

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1GPO Enumeration via gpresult.exe
Expected signal: Sysmon EventCode=1: Image=gpresult.exe with CommandLine containing /z and /scope. Security EventID=4688 if process creation auditing enabled with command line logging. File creation event for C:\Temp\gpo_computer.txt (Sysmon EventCode=11).
Test 2GPO Enumeration via PowerView Get-DomainGPO
Expected signal: Sysmon EventCode=1: powershell.exe with CommandLine containing Get-DomainGPO. PowerShell Script Block Logging (EventID 4104) capturing the full IEX expression and Get-DomainGPO function body. Sysmon EventCode=3 for LDAP connections to domain controllers (port 389) from powershell.exe.
Test 3GPO Enumeration via RSAT Get-GPO PowerShell Cmdlet
Expected signal: Sysmon EventCode=1: powershell.exe with CommandLine containing 'Get-GPO' and 'Get-GPResultantSetOfPolicy'. PowerShell EventID 4103/4104 capturing module import of GroupPolicy and cmdlet invocations. Sysmon EventCode=11 for HTML report file creation at C:\Temp\rsop_report.html. LDAP traffic to domain controllers for GPO object queries.

Last updated: 2026-03-20 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1615 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1484Domain or Tenant Policy Modification T1069Permission Groups Discovery T1069.002Domain Groups T1087.002Domain Account T1482Domain Trust Discovery T1033System Owner/User Discovery T1016System Network Configuration Discovery T1059.001PowerShell

Detect Group Policy Discovery in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1615

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1615

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox