==================================================

CREATED: WIN-FINDSTR-SYSVOL-POLICIES (#1459)

Description

This detector identifies instances of the Windows Find String (findstr.exe) utility searching Group Policy Object files for cpassword entries to discover Group Policy Preferences containing passwords. Adversaries use this technique to discover account credentials within misconfigured Group Policy Objects.

ATT&CK Technique T1081

==================================================

CREATED: WIN-COPY-SYSVOL-POLICIES (#1460)

Description

This detector identifies instances of xcopy.exe or Robust Copy (robocopy.exe) copying items from an Active Directory domain's Group Policy Object storage folder. Adversaries use this technique to copy Group Policy Objects for offline analysis and searching.

ATT&CK Technique T1081

Did this answer your question?