Detection of adversary attempts to enumerate Group Policy settings through suspicious command execution (gpresult), PowerShell enumeration (Get-DomainGPO, Get-DomainGPOLocalGroup), and abnormal LDAP queries targeting groupPolicyContainer objects. Defenders observe unusual process lineage, script execution, or LDAP filter activity against domain controllers.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Access (DC0071) | WinEventLog:Security | EventCode=4661 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:Powershell | EventCode=4104 |
| Network Traffic Content (DC0085) | NSM:Flow | query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes |
| Field | Description |
|---|---|
| TimeWindow | Defines the correlation window to link suspicious PowerShell activity, gpresult execution, and LDAP enumeration. |
| UserContext | Identifies accounts expected to perform GPO enumeration (administrators vs. standard users). |
| CommandLinePatterns | Patterns for detecting suspicious gpresult or PowerShell cmdlets; tunable to reduce noise in environments where these tools are common. |