组策略发现

组策略发现是攻击者为识别域环境中的权限配置和安全策略，通过查询组策略对象（GPO）获取域管理架构信息的技术手段。攻击者通常使用gpresult命令、PowerShell的ActiveDirectory模块或直接访问SYSVOL共享路径，收集策略应用范围、安全设置等数据，为后续权限提升或策略篡改提供情报支撑。防御方可通过监控异常LDAP查询、检测PowerShell远程加载行为，以及分析Windows事件日志4661（目录服务访问）来识别潜在的组策略发现行为。

ID: T1615

Sub-techniques: No sub-techniques

ⓘ

Tactic: 环境测绘

ⓘ

Platforms: Windows

Contributors: Jonhnathan Ribeiro, 3CORESec, @_w0rk3r; Ted Samuels, Rapid7

Version: 1.1

Created: 06 August 2021

Last Modified: 06 January 2023

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	❌
数据遮蔽	✅
时空释痕	✅

特征伪装

攻击者通过协议隧道化和合法工具滥用，将组策略查询行为伪装成正常管理操作或基础网络服务交互。例如将LDAP查询嵌套在DNS协议中传输，使流量特征与标准域名解析完全一致，或利用系统内置的PowerShell模块执行查询，使进程树与管理员日常操作无异。这种深度协议伪装使得防御方难以从网络流量或进程行为中提取恶意特征。

数据遮蔽

在协议隧道化子技术中，攻击者使用TLS加密通道传输封装后的查询指令和策略数据，阻止防御方对通信内容进行明文解析。即便中间节点截获通信流量，也无法直接获取嵌套在加密载荷中的组策略信息，有效掩盖攻击意图和数据回传过程。

时空释痕

通过数据分段重组技术，攻击者将完整的组策略发现任务拆分为多个低频率、分散式的子查询，跨越不同时段向多个域控制器发送请求。这种长周期、分布式的操作模式稀释了攻击行为的时序集中性和空间关联性，使得传统基于短时窗口的异常检测机制难以发现全局性的策略窃取行为。

Procedure Examples

ID	Name	Description
S0521	BloodHound	BloodHound has the ability to collect local admin information via GPO.^[1]
S1159	DUSTTRAP	DUSTTRAP can identify victim environment Group Policy information.^[2]
S0082	Emissary	Emissary has the capability to execute `gpresult`.^[3]
S0363	Empire	Empire includes various modules for enumerating Group Policy.^[4]
S1141	LunarWeb	LunarWeb can capture information on group policy settings^[5]
G0010	Turla	Turla surveys a system upon check-in to discover Group Policy details using the `gpresult` command.^[6]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID	Data Source	Data Component	Detects
DS0026	Active Directory	Active Directory Object Access	Monitor for abnormal LDAP queries with filters for `groupPolicyContainer` and high volumes of LDAP traffic to domain controllers. Windows Event ID 4661 can also be used to detect when a directory service has been accessed.
DS0017	Command	Command Execution	Monitor for suspicious use of `gpresult`. Monitor for the use of PowerShell functions such as `Get-DomainGPO` and `Get-DomainGPOLocalGroup` and processes spawning with command-line arguments containing `GPOLocalGroup`.
DS0029	Network Traffic	Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0009	Process	Process Creation	Monitor for newly executed processes that may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment.
DS0012	Script	Script Execution	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.