adpare
68 lines
4.2 KiB
JSON
68 lines
4.2 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--3bcf3b9b-a7af-4d86-bf40-9ebf2d7a224a",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--1b20efbf-8063-4fc3-a07d-b575318a301b",
|
|
"created": "2021-08-06T13:10:12.916Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/techniques/T1615",
|
|
"external_id": "T1615"
|
|
},
|
|
{
|
|
"source_name": "ADSecurity GPO Persistence 2016",
|
|
"description": "Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.",
|
|
"url": "https://adsecurity.org/?p=2716"
|
|
},
|
|
{
|
|
"source_name": "Microsoft gpresult",
|
|
"description": "Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021.",
|
|
"url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult"
|
|
},
|
|
{
|
|
"source_name": "Github PowerShell Empire",
|
|
"description": "Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.",
|
|
"url": "https://github.com/PowerShellEmpire/Empire"
|
|
},
|
|
{
|
|
"source_name": "TechNet Group Policy Basics",
|
|
"description": "srachui. (2012, February 13). Group Policy Basics \u2013 Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.",
|
|
"url": "https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2025-10-24T17:48:28.148Z",
|
|
"name": "Group Policy Discovery",
|
|
"description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-attack",
|
|
"phase_name": "discovery"
|
|
}
|
|
],
|
|
"x_mitre_attack_spec_version": "3.2.0",
|
|
"x_mitre_contributors": [
|
|
"Ted Samuels, Rapid7",
|
|
"Jonhnathan Ribeiro, 3CORESec, @_w0rk3r"
|
|
],
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_domains": [
|
|
"enterprise-attack"
|
|
],
|
|
"x_mitre_is_subtechnique": false,
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"x_mitre_version": "1.1"
|
|
}
|
|
]
|
|
} |