From 757f0a5e7cde47aa6ff6f3b85e57e8ce3c5fc8b3 Mon Sep 17 00:00:00 2001
From: IntelScott <99858125+tropChaud@users.noreply.github.com>
Date: Thu, 14 Apr 2022 12:55:20 -0400
Subject: [PATCH] Create T1615.yaml (#1868)

* Create T1615.yaml

Quick test for a new technique

* Update T1615.yaml

Fixed format of executor object

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1615/T1615.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 atomics/T1615/T1615.yaml

diff --git a/atomics/T1615/T1615.yaml b/atomics/T1615/T1615.yaml
new file mode 100644
index 00000000..860a13d5
--- /dev/null
+++ b/atomics/T1615/T1615.yaml
@@ -0,0 +1,17 @@
+attack_technique: T1615
+display_name: 'Group Policy Discovery'
+atomic_tests:
+- name: Display group policy information via gpresult
+  description: |
+    Uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information for a remote user and computer
+    The /z parameter displays all available information about Group Policy. More parameters can be found in the linked Microsoft documentation
+    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
+    https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
+    Turla has used the /z and /v parameters: https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      gpresult /z