Adversaries may be leveraging the default GPO folder to persistently execute malicious files by copying suspicious EXE or DLL artifacts into this location. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence mechanisms that exploit trusted system locations.
Detection Rule
title: Suspicious Files in Default GPO Folder
id: 5f87308a-0a5b-4623-ae15-d8fa1809bc60
status: test
description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
tags:
- attack.t1036.005
- attack.defense-evasion
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\'
TargetFilename|endswith:
- '.dll'
- '.exe'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName contains "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\" and (TargetFileName endswith ".dll" or TargetFileName endswith ".exe")Scenario: A system administrator is deploying a legitimate tool (e.g., Sysmon or LogParser) via Group Policy to multiple endpoints.
Filter/Exclusion: Exclude files that match known legitimate tools or check the file’s digital signature against a trusted certificate store.
Scenario: A scheduled job runs a script that copies a temporary DLL (e.g., from a shared network location) to the GPO folder for logging or analysis purposes.
Filter/Exclusion: Exclude files that are created by known scheduled tasks or scripts, using the Task Scheduler name or CommandLine field in the event log.
Scenario: An IT admin is manually copying a trusted DLL (e.g., from a shared folder) to the GPO folder to test a policy configuration.
Filter/Exclusion: Exclude files that are created by user accounts with specific administrative privileges or that match a predefined list of trusted files.
Scenario: A third-party application (e.g., Microsoft Endpoint Manager) copies its configuration files to the GPO folder during an update or sync process.
Filter/Exclusion: Exclude files that are associated with known third-party applications or that match a specific file pattern used by the application.
Scenario: A security tool (e.g., CrowdStrike Falcon) is configured to write diagnostic files to the GPO folder for monitoring purposes.
Filter/Exclusion: Exclude files that are generated by known security tools or that match a specific file extension or hash used by the tool.