discover Group Policy via gpresult

rule:
  meta:
    name: discover Group Policy via gpresult
    namespace: collection/group-policy
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Discovery::Group Policy Discovery [T1615]
    examples:
      - 9e4d06759f278255073f9ac7b31a115a:0x100068B7
  features:
    - and:
      - os: windows
      - or:
        - substring: "gpresult"
        - substring: "GPRESULT"