Active Directory Advanced Threat Hunting - Compare GPOs with the Security Compliance Toolkit



Dear Microsoft Active Directory friends,


Even in the age of digital transformation, group policy settings (still) play a crucial role in maintaining network security and compliance. Advanced Hunting, an advanced technique for monitoring and analyzing these settings, is an indispensable tool for administrators. This method makes it possible to gain in-depth insights into the configuration and security situation of Windows networks. By using specific tools and scripts, professionals can detect security vulnerabilities, identify configuration errors and ensure that all group policies meet the highest security and compliance requirements. This article introduces the concept of Advanced Hunting for Group Policy settings and how it can transform management and security in IT infrastructures.


Do we now need additional software and/or expensive tools? No, all we need is a little time, curiosity and the "Security Compliance Toolkit", which Microsoft is making available to us free of charge (thanks to Microsoft at this point).


But first let's take a closer look at the MITRE techniques and the relevant Windows Event IDs. Before we start analyzing the group policy settings.


We start with a list of MITRE techniques:


Domain Policy Modification

Domain Policy Modification: Group Policy Modification
Group Policy Discovery
Domain Policy Modification: Domain Trust Modification
Unsecured Credentials: Group Policy Preferences
The Windows Event ID's for the MITRE techniques:


Domain Policy Modification
4739(S): Domain Policy was changed
Group Policy Discovery
Appendix L: Events to Monitor
Domain Policy Modification: Domain Trust Modification
4716(S): Trusted domain information was modified
Compare the Default Domain Controllers Policy with the security baselines using the Policy Analyzer!


So that we can compare the Default Domain Controllers Policy, we create a backup:



Security Compliance Toolkit and Baselines can be downloaded here:


We need the necessary tools and baselines:



Extract the files:



From the Windows-Server-2022-Security-Baseline-FINAL folder, copy the following file:



Paste the file in the Policy Analyzer folder:



Open the Policy Analyzer:



NOTE: If you have a low screen resolution you may not be able to see the bottom part of the application. It is important that you see the bottom part so that you can adjust the path to the policy rule sets (see red marker).


Now we have to add the default domain controller policy:



Click on the import button:



Give it a name and then click on safe:



Now you can compare the policy with the security baseline:





If you want to examine your Active Directory with PowerShell, you will find a "small" compilation of various PowerShell scripts in the following link:


NOTE: Before using these scripts, make sure that you have the necessary authorizations. This should always be in writing. Although the scripts do not change any settings or manipulate the system, it is your responsibility how you use these scripts!


I hope that this information is helpful to you and that you have been given a good "little" foundation. This article/information is by no means complete and exhaustive. But I still hope that this information is helpful to you.


Thank you for taking the time to read the article.


Happy Comparing and Hunting, Tom Wechsler


P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github!

5 Replies
This has never been explained better,
Great Work Tom !!!

P.S. See also OnBoarding Accelerator Implementing Secure Baselines in our Workshoplist ;)



Sorry, my AD knowledge is near to 0. 

But why do you choose the default Domain Group Policy? We have near 100 different GPOs. Do we have to take every one and back it up and run the compare against them?