Group Policy Discovery via Microsoft GPResult Utility

 1[metadata]
 2creation_date = "2023/01/18"
 3integration = ["windows", "endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy 
13objects during the reconnaissance phase after compromising a system to gain a better understanding 
14of the active directory environment and possible methods to escalate privileges or move laterally. 
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Group Policy Discovery via Microsoft GPResult Utility"
21risk_score = 21
22rule_id = "94a401ba-4fa2-455c-b7ae-b6e037afc0b7"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29process where host.os.type == "windows" and event.type == "start" and
30(process.name: "gpresult.exe" or process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x")
31'''
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1615"
37name = "Group Policy Discovery"
38reference = "https://attack.mitre.org/techniques/T1615/"
39
40[rule.threat.tactic]
41id = "TA0007"
42name = "Discovery"
43reference = "https://attack.mitre.org/tactics/TA0007/"