Description
Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain or Tenant Policy Modification) for their benefit.
Platforms
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover Group Policy details using the <code>gpresult</code> command... |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can capture information on group policy settings(Citation: ESET Turla Lunar toolset May 2024) |
| S1159 | DUSTTRAP | Malware | [DUSTTRAP](https://attack.mitre.org/software/S1159) can identify victim environment Group Policy information.(Citation: Google Cloud APT41 2024) |
| S0521 | BloodHound | Tool | [BloodHound](https://attack.mitre.org/software/S0521) has the ability to collect local admin information via GPO.(Citation: GitHub Bloodhound) |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) includes various modules for enumerating Group Policy.(Citation: Github PowerShell Empire) |
| S0082 | Emissary | Malware | [Emissary](https://attack.mitre.org/software/S0082) has the capability to execute <code>gpresult</code>.(Citation: Emissary Trojan Feb 2016) |
References
- Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.
- Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.
Frequently Asked Questions
What is T1615 (Group Policy Discovery)?
T1615 is a MITRE ATT&CK technique named 'Group Policy Discovery'. It belongs to the Discovery tactic(s). Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can b...
How can T1615 be detected?
Detection of T1615 (Group Policy Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1615?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1615?
Known threat groups using T1615 include: Turla.