Group Policy Discovery

ID : T1615
Tactic : Discovery
Platforms: Windows

Group Policy Discovery

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD).

Exploitations

Windows

Command Prompt

We can use gpresult to get the Group Policy Setting applied on a domain object i.e user object, computer object.

gpresult /R /V

process

Powerview

We can use powerview to get the list of group policy objects within a domain. Import powerview script and then execute the below command.

  

get-netgpo | select displayname, cn

process

References

https://attack.mitre.org/techniques/T1615/

Red Teaming, Discovery

This post is licensed under CC BY 4.0 by the author.

Group Policy Discovery

Group Policy Discovery

Group Policy Discovery

Exploitations

Windows

Command Prompt

Powerview

References

Further Reading

Local Account

Domain Account

Permission Groups Discovery -> Domain Groups