title: Group Policy Discovery (T1615)
id: df00tech-t1615
status: experimental
description: "This detection identifies adversary attempts to enumerate Group Policy Objects (GPOs) and Group Policy settings within an Active Directory environment. Attackers use tools such as gpresult.exe, PowerShell cmdlets (Get-DomainGPO, Get-DomainGPOLocalGroup, Get-GPO), and frameworks like PowerView and BloodHound to discover GPO configurations that reveal privilege escalation paths, security control gaps, and domain trust relationships. Detected activity includes direct invocation of gpresult.exe outside of normal administrative contexts, PowerShell-based GPO enumeration via PowerView or RSAT cmdlets, and LDAP queries targeting GPO-related LDAP attributes. Correlating these patterns with post-discovery activity such as lateral movement or GPO modification attempts allows analysts to identify reconnaissance phases of domain-targeted attacks."
references:
  - https://attack.mitre.org/techniques/T1615/
  - https://df00tech.com/detections/T1615
author: df00tech
date: 2026/03/20
tags:
  - attack.t1615
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators running gpresult.exe manually or via scripts for compliance auditing and troubleshooting Group Policy application failures
  - "SCCM/Intune client management processes (ccmexec.exe, msiexec.exe) invoking gpresult.exe during client health checks or software deployments"
  - "Security and compliance tooling (e.g., Tenable, Rapid7, CrowdStrike Spotlight) using PowerShell GPO cmdlets during scheduled configuration assessment scans"
  - Help desk personnel using GPMC or RSAT tools to diagnose user/computer policy application issues
  - Automated GPO compliance checks performed by domain management scripts run from privileged service accounts
level: medium