T1615: Group Policy Discovery
Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
.
Adversaries may use commands such as gpresult
or various publicly available PowerShell functions, such as Get-DomainGPO
and Get-DomainGPOLocalGroup
, to gather information on Group Policy settings. Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain or Tenant Policy Modification) for their benefit.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_discovery: PT-CR-1789: Unix_MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software mitre_attck_discovery: PT-CR-1081: Domain_Dump_Tools_Via_LDAP: Information is uploaded from a domain controller mitre_attck_discovery: PT-CR-1082: Enumerating_Delegated_Credentials: Credential delegation is checked in the registry mitre_attck_discovery: PT-CR-1378: PowerView_Recon: Running scripts from the PowerView toolkit used to receive information about domains, domain and local groups, and users is detected mitre_attck_discovery: PT-CR-2546: Audit_Policies_Discovery: A user accessed many audit.csv files located in the "%SYSTEMROOT%\system32\GroupPolicy" and "%SYSTEMROOT%\sysnative\GroupPolicy" directories in a short period of time. This indicates an attempt to obtain advanced security audit policies. mitre_attck_discovery: PT-CR-1083: Ldapdomaindump_Queries: Active Directory information is dumped using ldapdomaindump active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1790: MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2017: SharpHound_LDAP_Requests: Detecting the launch of the SharpHound (BloodHound) tool using one of the methods - ObjectProps, ACL, Trusts, Container.ObjectProps - performs Object Properties collection for properties such as LastLogon or PwdLastSet; ACL - collects abusable permissions on objects in Active Directory; Trusts - collects domain trusts; Container - collects OU tree structure and Group Policy links hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-2118: AdPEAS_Usage: The adPEAS script for domain reconnaissance was started hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected
Detection
ID | DS0012 | Data source and component | Script: Script Execution | Description | Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor for suspicious use of |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
ID | DS0026 | Data source and component | Active Directory: Active Directory Object Access | Description | Monitor for abnormal LDAP queries with filters for |
---|