Gpresult Display Group Policy Information

 1title: Gpresult Display Group Policy Information
 2id: e56d3073-83ff-4021-90fe-c658e0709e72
 3status: test
 4description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
 7    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
 8    - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
 9    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
10author: frack113
11date: 2022-05-01
12tags:
13    - attack.discovery
14    - attack.t1615
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection:
20        Image|endswith: '\gpresult.exe'
21        CommandLine|contains:
22            - '/z'
23            - '/v'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

• atomic-red-team/atomics/T1615/T1615.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• gpresult

  

  Reference article for the gpresult command, which displays the Resultant Set of Policy (RSoP) information for a remote user and computer.

  
  Read More

• Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?

  

  Palo Alto Networks Unit 42 examines Emissary Trojan and how it is related to Operation Lotus Blossom.

  
  Read More

• JPš¢¥Ãè0#tÃ?kSBǃ9‰ºÜL—4yDµ,TlÂéúëvE ¼òøs=VW±j¬Œ"·TYIŒDnî–{ªýÁW5>¼q÷"áÈNıÉÚ“õm�&{?Ž¼3¶×þ¯xKrŒ`FnÑA‚EžiH‡™¼µ¤º±ÛlÅ]6ÛÛgõ¿fÅó&Û˜Íe×ó<Ù¦K&sµ.¦•u¹)¤ëÔª žK^�ëåfqRXÍÆ$ï ¯ÄëK nŒÂŸ...

  
  Read More

Related rules

• Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
• Suspicious GPO Discovery With Get-GPO
• Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript