PRIMARY CATEGORY → WINDOWS MOVEMENT
Theory
A Domain Group Policy Object encompasses a series of directives, restrictions and configurations that apply to a specific set of AD objects, whether it is a user account or a computer account
Therefore, if an attacker takes control over a domain account that have certain rights or privileges over a GPO, it can modify it by adding or editing certain settings or features in order to compromise one or all object for which the GPO is applied and linked
Some actions that can be taken by abusing certain rights over a GPO are →
-
Adding additional rights to a User Account (such as
SeDebugPrivilege,SeTakeOwnershipPrivilege,SeImpersonatePrivilege) -
Adding a local admin user to one or more hosts
-
Creating an inmediate scheduled task to perform any action on the given host
Interesting ACES over a GPO
-
WriteProperty to the GPC-File-Sys-Path property of a GPO
-
GenericAll, GenericWrite and WriteProperty to any property
-
WriteDACL and WriteOwner
Recon - UNIX-like
LDAPSearch
Enumerating GPOs
ldapsearch -LLL -x -H 'ldap://<DC>' -D '<USER>@<DOMAIN>' -w '<PASSWD>' -b 'CN=Policies,CN=System,DC=lab,DC=local' displayName | awk -F: -v IGNORECASE=1 '/displayName/ { print $2 }'Go-Windapsearch
go-windapsearch --domain '<DOMAIN>' --dc '<DC>' --username '<USER>' --password '<PASSWD>' --module 'gpos'Recon - Windows
Powerview
Enumerating GPOs
Get-DomainGPO
Get-DomainGPO | Select displayNameListing the GPO’s ACEs for a specific account
Get-DomainGPO + Get-ObjectACL
$sid = Convert-NameToSID '<ACCOUNT_OR_GROUP>'Get-DomainGPO | Get-ObjectACL | ? { $_.securityIdentifier -eq $sid }Group Policy Module
Enumerating GPOs
Get-GPO -All | Select displayNameConverting GPO GUID to Name
Get-GPO
Get-GPO -Guid '<GPO_GUID>'Group3r
group3r.exe -f '<LOG_FILE>'Abuse - Windows
SharpGPOAbuse