Detectionlowtest

Suspicious GPO Discovery With Get-GPO

Detect use of Get-GPO to get one GPO or all the GPOs in a domain.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

François HubautCreated Sat Jun 04eb2fd349-ec67-4caa-9143-d79c7fb34441windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains: Get-GPO
    condition: selection

False Positives

Legitimate PowerShell scripts

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

eb2fd349-ec67-4caa-9143-d79c7fb34441

Status

test

Level

low

Type

Detection

Created

Sat Jun 04

Author

Path

rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml

Raw Tags

attack.discoveryattack.t1615