New Check: Potentially malicious gPCFileSysPath

brandon.west · April 9, 2025, 4:17pm

What is a one sentence summary of your feature request?

Uncover odd looking gPCFileSysPath paths that may indicate malicious behavior

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

The gPCFileSysPath will force a user / computer to reach out to the file path specified. It could be common for the attack tools to directly revert this but this could have been manually modified or odd/historic scenarios uncovered.

Checks
Does gPCFileSysPath resolve to a Domain Controller? - It should
Does gPCFileSysPath include IP Address? (NTLM Downgrade / potentially malicious )

Documentation Links

How do you currently solve the challenges you have by not having this feature?

Using other tools such as PowerShell

joe.dibley · April 15, 2025, 4:41pm

Thanks for the detection rule idea here Brandon. This is definitely something that we should be able to get easily even if it is unlikely to trigger due to many of the tools that do this automatically cleaning themselves up.

Topic		Replies	Views
New Check: Uncover Hidden Objects Ideas planned , ideas	1	15	April 15, 2025
Rule for "LMCompatibilityLevel LM & NTLM" Ideas new , ideas	1	28	April 22, 2025
New Check: Timeroasting (Inactive Managed Service Accounts) Ideas planned , ideas	1	28	April 15, 2025
Prevent LSASS.exe Process Cloning Ideas threat-prevention , under-review , ideas	1	14	April 16, 2025
Active Directory Certificate Services Monitoring & Blocking Ideas threat-prevention , under-review , ideas	1	20	April 16, 2025

New Check: Potentially malicious gPCFileSysPath

What is a one sentence summary of your feature request?

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

How do you currently solve the challenges you have by not having this feature?

Related topics