Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURE

Detect Anomalous Group Policy Discovery

Wayne Andes 5 min read

Description

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group policies may contain valuable information for an attacker. This KQL query detects when an device performs an group policy Discovery that has not been performed from that device in the last 30 days.

Potential false positive is a new Administrator that has not performed group policy discovery before.

Risk

An attacker queries Group Policy object to gain valuable information about the environment.

Query

Microsoft Defender For Endpoint
Kusto
let PreviousActivity = materialize (
     IdentityQueryEvents
     | where Timestamp > ago(30d)
     | where QueryType == "AllGroupPolicies"
     | summarize make_set(DeviceName)
     );
IdentityQueryEvents
| where Timestamp > ago(1d)
| where QueryType == "AllGroupPolicies"
| where not(DeviceName has_any(PreviousActivity))

Microsoft Sentinel
Kusto
let PreviousActivity = materialize (
     IdentityQueryEvents
     | where TimeGenerated > ago(30d)
     | where QueryType == "AllGroupPolicies"
     | summarize make_set(DeviceName)
     );
IdentityQueryEvents
| where TimeGenerated > ago(1d)
| where QueryType == "AllGroupPolicies"
| where not(DeviceName has_any(PreviousActivity))

You May Also Like

Hunt For Suspicious Encoded PowerShell

Wayne Andes

Detect Azure Monitor Agent Connector Failures In CommonSecurityLog

Wayne Andes

Visualize MITRE ATT&CK Tactics Triggered On Microsoft Sentinel Incidents

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *