Skip to content

T1615 Group Policy Discovery

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.41

Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.23 Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain Policy Modification) for their benefit.

Item Value
ID T1615
Tactics TA0007
Platforms Windows
Version 1.1
Created 06 August 2021
Last Modified 06 January 2023

Procedure Examples

ID Name Description
S0521 BloodHound BloodHound has the ability to collect local admin information via GPO.5
S0082 Emissary Emissary has the capability to execute gpresult.6
S0363 Empire Empire includes various modules for enumerating Group Policy.3
G0010 Turla Turla surveys a system upon check-in to discover Group Policy details using the gpresult command.7


ID Data Source Data Component
DS0026 Active Directory Active Directory Object Access
DS0017 Command Command Execution
DS0029 Network Traffic Network Traffic Content
DS0009 Process Process Creation
DS0012 Script Script Execution