T1615 Group Policy Discovery
Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.41
Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.23 Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain Policy Modification) for their benefit.
| Item | Value |
|---|---|
| ID | T1615 |
| Sub-techniques | |
| Tactics | TA0007 |
| Platforms | Windows |
| Version | 1.1 |
| Created | 06 August 2021 |
| Last Modified | 06 January 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0521 | BloodHound | BloodHound has the ability to collect local admin information via GPO.5 |
| S0082 | Emissary | Emissary has the capability to execute gpresult.6 |
| S0363 | Empire | Empire includes various modules for enumerating Group Policy.3 |
| G0010 | Turla | Turla surveys a system upon check-in to discover Group Policy details using the gpresult command.7 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0026 | Active Directory | Active Directory Object Access |
| DS0017 | Command | Command Execution |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0009 | Process | Process Creation |
| DS0012 | Script | Script Execution |
References
-
Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019. ↩
-
Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩↩
-
srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019. ↩
-
Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019. ↩
-
Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. ↩
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩