T1615: Group Policy Discovery
Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\
Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.[3][4] Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain or Tenant Policy Modification) for their benefit.
Analyst context for executives and security teams
Group Policy Discovery matters because Group Policy is a map of how a Windows Active Directory environment is governed. If an intruder can inventory GPO settings, they may learn where security controls are enforced, where privileged access is granted, and which domain objects could support later privilege escalation or policy abuse. For leaders, this is less about one command and more about whether the organization can see suspicious AD reconnaissance before it becomes lateral movement or policy modification.
Executive priority
Prioritize this as an Active Directory resilience and incident-readiness issue. Group Policy often underpins endpoint hardening, user rights, local group membership, and other control evidence used for security operations and compliance. Executives should ask whether SOC teams collect enough Windows, PowerShell, process, and domain access telemetry to distinguish normal administration from unusual GPO enumeration, and whether IR teams can quickly assess if discovery activity preceded Domain or Tenant Policy Modification (T1484) or other follow-on actions.
Technical view
ATT&CK defines this as a Windows discovery technique in which adversaries gather Group Policy settings, including from predictable SYSVOL policy paths such as \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\. The description specifically references use of gpresult and publicly available PowerShell functions such as Get-DomainGPO and Get-DomainGPOLocalGroup. Because MITRE provides no official detection text for T1615, defenders should validate coverage through the related detection strategy DET0055 and local telemetry. SOC and IR teams should focus on command execution, PowerShell activity, access to SYSVOL policy locations, and correlation with other AD reconnaissance or later policy modification behavior. Relationship context shows this technique is used by the Leviathan Australian Intrusions campaign, Turla, and software including Emissary, Empire, BloodHound, LunarWeb, and DUSTTRAP, so detection logic should account for both admin tooling and post-exploitation frameworks without assuming any single actor is present.
Likely telemetry
- Windows process creation telemetry for gpresult and other command-line enumeration activity
- PowerShell execution logs and script/module logging where enabled, especially for GPO-related functions
- File share or network access telemetry for SYSVOL policy paths
- Domain controller and Active Directory audit events that show directory or policy object access where available
- Endpoint detection telemetry linking GPO discovery to parent processes, users, hosts, and remote sessions
Detection direction
- Baseline legitimate administrative use of gpresult and GPO reporting tools by IT, help desk, endpoint engineering, and domain administration roles.
- Look for GPO enumeration from unusual users, endpoints, servers, service accounts, or remote sessions, especially outside maintenance windows.
- Correlate PowerShell-based GPO discovery with other Active Directory reconnaissance and relationship-driven tools such as Empire or BloodHound when observed in the environment.
- Monitor access patterns to SYSVOL policy directories that are broad, scripted, or inconsistent with the source host’s role.
- Treat this as a behavioral signal rather than a stand-alone incident: false positives are likely from normal administration, troubleshooting, auditing, and configuration management.
Mitigation priorities
- Harden and monitor Active Directory and Group Policy administration, including least-privilege access to GPO management functions.
- Restrict and review who can modify Group Policy, with change control and alerting for policy changes tied to T1484 risk.
- Enable and retain Windows, PowerShell, endpoint, and domain controller telemetry sufficient to reconstruct GPO discovery during investigations.
- Document legitimate GPO audit and troubleshooting workflows so SOC teams can separate expected administrative activity from suspicious discovery.
- Regularly review GPO design for excessive privileges, local group assignments, and policy settings that could create escalation paths if discovered or manipulated.
Analyst notes and limits
This object is a technique, not a vulnerability. Its business value is in showing whether an adversary or tool is mapping AD governance and possible escalation paths. The most useful defensive question is whether GPO discovery can be tied to identity, host, parent process, and subsequent behavior. Relationship context supports awareness of named groups, a campaign, and software that use the technique, but those relationships should not be treated as attribution without additional evidence.
MITRE does not provide official detection text for T1615 in the supplied object. The take is therefore based on the official description, platforms, tactics, external references, and listed relationships only. Local environment baselines are required because gpresult, PowerShell GPO queries, SYSVOL access, and GPO reporting can be legitimate administrative activity.
Group Policy Discovery
Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\
Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.[3][4] Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain or Tenant Policy Modification) for their benefit.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
S1141: LunarWeb
LunarWeb is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with LunarLoader and LunarMail. LunarWeb has only been observed deployed against servers and can use Steganography to obfuscate command and control.[1]
S1159: DUSTTRAP
S0521: BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S0082: Emissary
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.[1]
C0049: Leviathan Australian Intrusions
Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9d35f896c3ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TechNet Group Policy Basics
srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.
Open source URL -
[2]
ADSecurity GPO Persistence 2016
Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.
Open source URL -
[3]
Microsoft gpresult
Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021.
Open source URL -
[4]
Github PowerShell Empire
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
Open source URL -
[5]
mitre-attack T1615Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.