Find sigma rule
Attack: Group Policy Discovery
Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
Adversaries may use commands such as gpresult
or various publicly available PowerShell functions, such as Get-DomainGPO
and Get-DomainGPOLocalGroup
, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain or Tenant Policy Modification) for their benefit.
MITRE
Tactic
- discovery
technique
- T1615
Test : WinPwn - GPOAudit
OS
- windows
Description:
Check domain Group policies for common misconfigurations using Grouper2 via GPOAudit function of WinPwn
Executor
powershell
Sigma Rule
-
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml (id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d)
-
proc_creation_win_powershell_download_cradles.yml (id: 6e897651-f157-4d8f-aaeb-df8151488385)
-
proc_creation_win_powershell_download_patterns.yml (id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7)
-
proc_creation_win_powershell_susp_download_patterns.yml (id: e6c54d94-498c-4562-a37c-b469d8e9a275)
-
proc_creation_win_powershell_download_iex.yml (id: 85b0b087-eddf-4a2b-b033-d771fa2b9775)
-
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
-
posh_ps_susp_invocation_specific.yml (id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71)
-
posh_pm_susp_invocation_specific.yml (id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090)
-
posh_ps_detect_vm_env.yml (id: d93129cd-1ee0-479f-bc03-ca6f129882e3)
-
posh_ps_malicious_commandlets.yml (id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6)
-
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
-
posh_ps_susp_get_current_user.yml (id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a)
-
posh_ps_susp_download.yml (id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb)
-
posh_ps_susp_keywords.yml (id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf)
-
posh_ps_susp_get_process.yml (id: af4c87ce-bdda-4215-b998-15220772e993)
-
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
-
posh_ps_susp_getprocess_lsass.yml (id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb)
-
posh_ps_nishang_malicious_commandlets.yml (id: f772cee9-b7c2-4cb2-8f07-49870adc02e0)
-
file_event_win_powershell_exploit_scripts.yml (id: f331aa1f-8c53-4fc3-b083-cc159bc971cb)
-
posh_ps_localuser.yml (id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c)
-
posh_ps_susp_local_group_reco.yml (id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb)
-
posh_ps_automated_collection.yml (id: c1dda054-d638-4c16-afc8-53e007f3fbc5)
-
posh_ps_powerview_malicious_commandlets.yml (id: dcd74b95-3f36-4ed9-9598-0490951643aa)
-
posh_ps_susp_extracting.yml (id: bd5971a7-626d-46ab-8176-ed643f694f68)
-
posh_ps_dump_password_windows_credential_manager.yml (id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc)
-
posh_ps_timestomp.yml (id: c6438007-e081-42ce-9483-b067fbef33c3)
-
net_connection_win_susp_file_sharing_domains_susp_folders.yml (id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97)
-
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)
-
posh_pm_bad_opsec_artifacts.yml (id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86)
-
posh_pm_susp_local_group_reco.yml (id: cef24b90-dddc-4ae1-a09a-8764872f69fc)