Detectionmediumtest

Suspicious SYSVOL Domain Group Policy Access

Detects Access to Domain Group Policies stored in SYSVOL

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Markus Neis, Jonhnathan Ribeiro, oscd.communityCreated Mon Apr 09Updated Fri Jan 0705f3c945-dcc8-4393-9f3d-af65077a8f86windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains|all:
            - '\SYSVOL\'
            - '\policies\'
    condition: selection

False Positives

Administrative activity

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

05f3c945-dcc8-4393-9f3d-af65077a8f86

Status

test

Level

medium

Type

Detection

Created

Mon Apr 09

Modified

Fri Jan 07

Author

Path

rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml

Raw Tags

attack.credential-accessattack.t1552.006