Gpresult Display Group Policy Information

calendar Nov 26, 2025 · attack.discovery attack.t1615  ·
Share on: linkedin copy

Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information

Sigma rule (View on GitHub)

 1title: Gpresult Display Group Policy Information
 2id: e56d3073-83ff-4021-90fe-c658e0709e72
 3status: test
 4description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
 7    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
 8    - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
 9    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
10author: frack113
11date: 2022-05-01
12tags:
13    - attack.discovery
14    - attack.t1615
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection:
20        Image|endswith: '\gpresult.exe'
21        CommandLine|contains:
22            - '/z'
23            - '/v'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium
28simulation:
29    - type: atomic-red-team
30      name: Display group policy information via gpresult
31      technique: T1615
32      atomic_guid: 0976990f-53b1-4d3f-a185-6df5be429d3b
33regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/info.yml

References

Related rules

to-top