Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO. In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.

1. (Ab)Using GPOs For Active Directory Pwnage
Petros Koutroumpis - @pkb1s
Dennis Panagiotopoulos - @den_n1s
Red Team Village | DEF CON 27

2. Agenda
• GPO Internals
• Hunting for weak GPO permissions
• Example scenarios
• Exploitation methods and SharpGPOAbuse

3. Previous Work
• @grouppolicyguy - https://sdmsoftware.com
• @_wald0 - https://wald0.com
• @PyroTek3 - https://adsecurity.org
• @harmj0y - http://www.harmj0y.net
• @_RastaMouse - https://rastamouse.me

4. What is a GPO?
• Allows administrators to easily control the settings deployed to clients
within an Active Directory environment.
• Configure settings for User and Computer accounts
• Can be Local or in Active Directory

5. Components of a GPO
• Group Policy Container (GPC)
• Group Policy Template (GPT)
Also,
• Client-Side Extensions (CSEs)

6. Group Policy Container (GPC)

7. • displayName
• gPCFileSysPath
• versionNumber
• gPCMachineExtensionNames and gPCUserExtensionNames
Group Policy Container (GPC)
Important Attributes:

8. Group Policy Template (GPT)

9. Client-Side Extensions (CSEs)
• DLLs installed on clients
• Used to process GPO settings
• Identified by a GUID
• Found in the gPCMachineExtensionNames and
gPCUserExtensionNames attributes of a GPO
• Special order

10. Client-Side Extensions (CSEs)
• gPCMachineExtensionNames value when Audit Policy is configured
[
{827D319E-6EAC-11D2-A4EA-00C04F79F83A} //Security Settings
{803E14A0-B4FB-11D0-A0D0-00A0C90F574B} //Computer Restricted Groups
]
• gPCMachineExtensionNames value after adding a Startup Script
[
{42B5FAAE-6536-11D2-AE5A-0000F87571E3} //Process Scripts Group Policy
{40B6664F-4972-11D1-A7CA-0000F87571E3} //Startup - Shutdown Scripts
]
[
{827D319E-6EAC-11D2-A4EA-00C04F79F83A} //Security Settings
{803E14A0-B4FB-11D0-A0D0-00A0C90F574B} //Computer Restricted Groups
]

11. Client-Side Extensions (CSEs)
https://blogs.technet.microsoft.com/mempson/2010/12/01/group-policy-client-side-extension-list/

12. GPO Precedence and Inheritance
What happens when multiple GPOs apply to a client?
• Local
• Site
• Domain
• OU

13. GPO Precedence and Inheritance
• What happens when multiple GPOs are linked to the same OU?

14. Blocking and Enforcement
Settings that can affect the GPO processing order:
• Block Inheritance
• Enforcement

15. Enforcement and Precedence

16. Enforcement and Precedence

17. Enforcement and Precedence

18. GPO Processing
There are 2 types of GPO processing:
• Foreground
– All settings are processed
– Affects login/logoff times
• Background
– Applied at regular intervals
– Not all settings are processed

19. The GpLink Attribute

20. The GpLink Attribute
GPLinkOptions:
• 0: The GPO is not enforced. This is the default value
• 1: The GPO link is not enabled
• 2: The GPO is enforced
• 3: The GPO is enforced but not enabled
[LDAP://cn={9CD1C444-260F-40C6-A67B-E178446622A5},cn=policies,cn=system,DC=europa,DC=com;0]
[LDAP://cn={77D3AFFC-1292-4DBE-AE89-CEDEE60BAD0E},cn=policies,cn=system,DC=europa,DC=com;2]
[LDAP://cn={C877A421-BF69-439E-89C3-99CF82C71299},cn=policies,cn=system,DC=europa,DC=com;2]

21. Bringing everything together

22. Bringing everything together

23. Bringing everything together

24. Bringing everything together

25. Bringing everything together

26. Bringing everything together

27. GPO Permissions
• Owns
• GenericAll
• GenericWrite
• WriteProperty
• WriteDACL
• WriteOwner
https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf

28. Hunting for weak GPO permissions
Tools of the trade:
• accesschk.exe, icacls, etc
• BloodHound
– https://github.com/BloodHoundAD/BloodHound
• PowerView
– https://github.com/PowerShellMafia/PowerSploit
• Grouper2
– https://github.com/l0ss/Grouper2

29. BloodHound
• Released in 2016 by @_wald0, @CptJesus and @harmj0y
• Uses graph theory to reveal relationships between active directory
components
• An ingestor collects data that can be loaded onto a neo4j database
• Useful for both Red and Blue teams

30. BloodHound

31. BloodHound and GPOs
• If a gPLink is dotted then the GPO is not enforced
• If a gPLink is solid then the GPO is Enforced
• If a Contains link is dotted then Block Inheritance is enabled

32. BloodHound and GPOs

33. BloodHound and GPOs

34. What about in real life?
• Misconfigurations are very common
• Multiple instances where arbitrary “low-privileged” users were able to
modify a GPO

35. Example 1 – Compromise Computer

36. Example 2 – Compromise User

37. Exploiting these scenarios
• Group Policy Management Console (GPMC)
• Manually edit GPC and GPT
• SharpGPOAbuse 

38. Group Policy Management Console (GPMC)

39. Manual Exploitation
• Each GPO settings has different dependencies:
– Hidden .ini files
– Various .xml files
• Error prone
• Time consuming

40. Manual Exploitation
Things to be remember:
• CSE order in gPCMachineExtensionNames and
gPCUserExtensionNames
• Version number in GPT.ini and versionNumber attribute must be the
same.
– versionNumber = {User Node: upper 16 bits}{Machine Node: lower 16 bits}

41. Manual Exploitation
Adding a user to the local Administrators group:
• Find the SID of the user we want to add as a local admin
• Get the GUID of the target GPO
• Create SYSVOLdomainPolicies{GUID}MachineMicrosoftWindows
NTSecEditGptTmpl.inf with the following contents:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Group Membership]
*S-1-5-32-544__Memberof =
*S-1-5-32-544__Members = *<USER-SID>

42. Manual Exploitation
• Calculate the new GPO version
• Update the value of the version parameter in
SYSVOLdomainPolicies{GUID}GPT.ini
• Update the versionNumber attribute in the GPC
• Find the values of the required CSEs and add them sorted in the
gPCMachineExtensionNames attribute of the GPO object
• Hope you didn’t mess anything up 

43. SharpGPOAbuse
• .NET application written in C#
• Simplifies the process – a lot
• Can be used to exploit both Computer and User GPO settings

44. SharpGPOAbuse - Functionality
Currently supports the following:
• Add rights to user (SeDebugPrivilege, SeImpersonatePrivilege, etc.)
• Add startup scripts
• Add immediate tasks to user or computer
• Add user to local Administrators group

45. Example 1 – Compromise Computer

47. Example 2 – Compromise User

49. Bonus - What about cross domain?
• GPOs can also apply to different domains
• New PR to SharpHound
• You can use SharpGPOAbuse to abuse this scenario as well 

50. Bonus - What about cross domain?

52. Related Links
SharpGPOAbuse
• https://github.com/mwrlabs/SharpGPOAbuse
Additional Links
• https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-
basics-part-1-understanding-the-structure-of-a-group-policy-object/#comments
• http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
• https://wald0.com/?p=179
• https://adsecurity.org/?p=2716
• https://rastamouse.me/2019/01/gpo-abuse-part-2/
• https://rastamouse.me/2019/01/gpo-abuse-part-1/

53. The End
Questions?