Finding vulnerable GPO
Look a GPLink where you have the Write right.
Get-DomainObjectAcl -Identity "SuperSecureGPO" -ResolveGUIDs | Where-Object { $_.ActiveDirectoryRights -like "*WriteProperty*" }1)
runas /netonly /user:DOMAIN\AD_USERNAME cmd.exe2)
dir \\DOMAIN\sysvol3) mmc
4) File -> Add/Remove Snap-in
5) Group Policy Management then click Add
6) OK
7) Navigate to GPO our user has permission to modify
8) Right-click on GPO and select edit
Add our account to local groups
1) Expand Computer Configuration
2) Expand Policies
3) Expand Windows Settings
4) Expand Security Settings
5) Right-click on Restricted Groups and select Add Group
6) Click browse, enter IT Support (example) and click Check Names
7) Click OK twice
8) On second filter, add Administrators and Remote Desktop Users groups
9) Apply and OK then WAIT FOR 15 MINUTES FOR THE GPO TO BE APPLIED
PreviousGroup Policy Objects (GPO) ExploitationNextPowerGPOAbuse https://github.com/rootSySdk/PowerGPOAbuse
Last updated