DET0055 Detection strategy for Group Policy Discovery on Windows

Item	Value
ID	DET0055
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1615 (Group Policy Discovery)

Analytics

Windows

AN0152

Detection of adversary attempts to enumerate Group Policy settings through suspicious command execution (gpresult), PowerShell enumeration (Get-DomainGPO, Get-DomainGPOLocalGroup), and abnormal LDAP queries targeting groupPolicyContainer objects. Defenders observe unusual process lineage, script execution, or LDAP filter activity against domain controllers.

Log Sources

Data Component	Name	Channel
Active Directory Object Access (DC0071)	WinEventLog:Security	EventCode=4661
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Network Traffic Content (DC0085)	NSM:Flow	query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes

Mutable Elements

Field	Description
TimeWindow	Defines the correlation window to link suspicious PowerShell activity, gpresult execution, and LDAP enumeration.
UserContext	Identifies accounts expected to perform GPO enumeration (administrators vs. standard users).
CommandLinePatterns	Patterns for detecting suspicious gpresult or PowerShell cmdlets; tunable to reduce noise in environments where these tools are common.