Detect Anomalous Group Policy Discovery

Detect anomalous group policy discovery by leveraging KQL queries to identify devices performing group policy scans they have not executed in the last 30 days. This technique targets attackers who gather domain policy information to escalate privileges, evade detection, or blend into the network environment. By focusing on unusual group policy query activity, this approach improves early threat detection and reduces exposure to privilege escalation risks.

Risk

Attackers querying Group Policy objects may gain insights into domain security configurations, privilege paths, and other sensitive settings. Such reconnaissance can lead to privilege escalation, lateral movement, or bypassing security controls. Detecting anomalous group policy discovery activity helps prevent attackers from exploiting this reconnaissance phase.

Query

Microsoft Defender For Endpoint

let PreviousActivity = materialize (
     IdentityQueryEvents
     | where Timestamp > ago(30d)
     | where QueryType == "AllGroupPolicies"
     | summarize make_set(DeviceName)
     );
IdentityQueryEvents
| where Timestamp > ago(1d)
| where QueryType == "AllGroupPolicies"
| where not(DeviceName has_any(PreviousActivity))

Microsoft Sentinel

let PreviousActivity = materialize (
     IdentityQueryEvents
     | where TimeGenerated > ago(30d)
     | where QueryType == "AllGroupPolicies"
     | summarize make_set(DeviceName)
     );
IdentityQueryEvents
| where TimeGenerated > ago(1d)
| where QueryType == "AllGroupPolicies"
| where not(DeviceName has_any(PreviousActivity))

This KQL query script detects devices performing group policy discovery queries within the last day that have no record of such queries in the past 30 days. The materialize operator stores the list of devices with prior group policy discovery activity, allowing the second query to filter for new or anomalous devices.