Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Выявление состава групповой политики
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Выявление состава групповой по...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Выявление состава групповой политики

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain or Tenant Policy Modification) for their benefit.

ID: T1615
Тактика(-и): Discovery
Платформы: Windows
Источники данных: Active Directory: Active Directory Object Access, Command: Command Execution, Network Traffic: Network Traffic Content, Process: Process Creation, Script: Script Execution
Версия: 1.1
Дата создания: 06 Aug 2021
Последнее изменение: 06 Jan 2023

Примеры процедур
Название Описание
LunarWeb

LunarWeb can capture information on group policy settings(Citation: ESET Turla Lunar toolset May 2024)
DUSTTRAP

DUSTTRAP can identify victim environment Group Policy information.(Citation: Google Cloud APT41 2024)
BloodHound

BloodHound has the ability to collect local admin information via GPO.(Citation: GitHub Bloodhound)
Turla

Turla surveys a system upon check-in to discover Group Policy details using the gpresult command.(Citation: ESET ComRAT May 2020)
Empire

Empire includes various modules for enumerating Group Policy.(Citation: Github PowerShell Empire)
Emissary

Emissary has the capability to execute gpresult.(Citation: Emissary Trojan Feb 2016)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor for suspicious use of gpresult. Monitor for the use of PowerShell functions such as Get-DomainGPO and Get-DomainGPOLocalGroup and processes spawning with command-line arguments containing GPOLocalGroup. Monitor for abnormal LDAP queries with filters for groupPolicyContainer and high volumes of LDAP traffic to domain controllers. Windows Event ID 4661 can also be used to detect when a directory service has been accessed.

Ссылки

  1. srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.
  2. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  3. Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021.
  4. Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.
  5. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  6. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  7. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
  8. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  9. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.