Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0152: Analytic 0152

Detection of adversary attempts to enumerate Group Policy settings through suspicious command execution (gpresult), PowerShell enumeration (Get-DomainGPO, Get-DomainGPOLocalGroup), and abnormal LDAP queries targeting groupPolicyContainer objects. Defenders observe unusual process lineage, script execution, or LDAP filter activity against domain controllers.

EnterpriseAN0152AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Analytic 0152 matters because Group Policy often defines how Windows environments enforce security, local administrator membership, scripts, software deployment, and other operational controls. Attempts to enumerate Group Policy settings can help an adversary understand where privileges, weak configurations, or management paths exist. For leaders, the value is not that every gpresult or LDAP query is malicious, but that unusual GPO discovery can be an early signal that an intruder is mapping the domain before choosing a path to expand access or disrupt operations.

Executive priority

Prioritize this as a Windows/Active Directory visibility and readiness question: can the organization distinguish normal administration from suspicious Group Policy enumeration? This supports incident decision-making, identity and access management assurance, and audit evidence around monitoring of domain controller access and administrative scripting. The business risk is highest where Group Policy controls privileged access, endpoint hardening, or operational systems, because poor visibility can delay recognition of domain reconnaissance.

Technical view

Validate coverage for suspicious command execution involving gpresult, PowerShell-based Group Policy enumeration such as Get-DomainGPO and Get-DomainGPOLocalGroup, and abnormal LDAP activity targeting groupPolicyContainer objects on domain controllers. Since no official detection logic is supplied, teams should build environment-specific baselines for expected administrators, management hosts, scripts, and process lineage, then alert on unusual users, hosts, parent processes, execution contexts, or LDAP filters that deviate from normal administrative behavior.

Likely telemetry

  • Windows process creation events including command line and parent/child process lineage
  • PowerShell execution telemetry, including script block or module-related evidence where available
  • LDAP query telemetry or directory service logs showing filters targeting groupPolicyContainer objects
  • Domain controller authentication and directory access logs
  • Host, user, and administrative workstation context to distinguish expected administration from abnormal enumeration

Detection direction

  • Tune for context rather than command presence alone, because gpresult and Group Policy queries can be legitimate administrative activity.
  • Baseline normal Group Policy administration by user, source host, time, and tooling; prioritize deviations involving non-admin users, unusual endpoints, or unexpected process parents.
  • Correlate PowerShell enumeration activity with LDAP queries against domain controllers to reduce false positives and strengthen confidence.
  • Review blind spots where command-line logging, PowerShell logging, or LDAP visibility is incomplete, especially on domain controllers and administrative workstations.
  • Because no tactics or relationships are supplied, avoid over-mapping this analytic to a broader intrusion stage without local evidence.

Mitigation priorities

  • Ensure Windows and domain controller logging is configured to capture process execution, PowerShell activity, and relevant directory/LDAP access evidence.
  • Limit Group Policy administrative privileges to approved roles and systems, and review who can read or manage sensitive GPO-related information where applicable.
  • Use privileged access hygiene for domain administration, including separation of administrative workstations and routine user activity.
  • Document expected Group Policy management tools and workflows so SOC teams can suppress known-good activity while escalating unusual enumeration.
  • Include this behavior in incident response playbooks as a potential domain reconnaissance signal that should trigger identity, endpoint, and directory review.
Analyst notes and limits

This object is a detection analytic for Windows environments focused on enumeration of Group Policy settings through gpresult, PowerShell functions, and LDAP queries for groupPolicyContainer objects. There are no supplied relationships, aliases, labels, or official detection logic, so the take emphasizes validation of telemetry and environment-specific baselining rather than a fixed rule.

The ATT&CK fields provide a description but no official detection query, tactics, relationships, or mitigation mappings. Local baselines are required to determine what is abnormal, and legitimate administration can look similar to the described behavior.

Official MITRE ATT&CK definition

Analytic 0152

Detection of adversary attempts to enumerate Group Policy settings through suspicious command execution (gpresult), PowerShell enumeration (Get-DomainGPO, Get-DomainGPOLocalGroup), and abnormal LDAP queries targeting groupPolicyContainer objects. Defenders observe unusual process lineage, script execution, or LDAP filter activity against domain controllers.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
101e2e38fc06f07b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 101e2e38fc06…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0152
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use