PK
Uploaded byPetros Koutroumpis
PPTX, PDF1,036 views

(Ab)Using GPOs for Active Directory Pwnage

The document discusses the exploitation of Group Policy Objects (GPO) within Active Directory environments, focusing on weak GPO permissions and various exploitation methods. It covers topics such as GPO internals, processing types, permissions, and tools like BloodHound and SharpGpoAbuse for hunting and exploitation. The document also highlights real-life examples of misconfigurations allowing unauthorized modifications to GPOs.

Presentations & Public Speaking
In this document
Powered by AI

Overview of GPOs for Active Directory and the presentation agenda.

Explains what GPOs are and details the components: GPC, GPT, and CSEs.

Discusses GPO processing order, precedence, and settings that affect GPO applications.

Describes foreground and background processing types for GPOs.

Information on GPLink attributes and their values affecting GPO enforcement.

Brings together concepts related to GPOs and emphasizes key elements.

Identifies permissions associated with GPOs and tools for hunting weak permissions.

Overview of BloodHound tool used to analyze GPO relationships and common misconfigurations.

Examples of Compromise Computer and User scenarios highlighting exploitation techniques.

Manual methods for exploiting GPOs, including steps for modifying GPC and GPT.

Introduction to the SharpGPOAbuse tool, its functionalities for GPO exploitation.

Discusses the potential for GPOs to apply across different domains and exploitation strategies.

Provides links to relevant resources, including SharpGPOAbuse and additional reading.

Wraps up the presentation and opens the floor for questions.

Embed presentation

Downloaded 18 times
(Ab)Using GPOs For Active Directory Pwnage Petros Koutroumpis - @pkb1s Dennis Panagiotopoulos - @den_n1s Red Team Village | DEF CON 27
Agenda • GPO Internals • Hunting for weak GPO permissions • Example scenarios • Exploitation methods and SharpGPOAbuse
Previous Work • @grouppolicyguy - https://sdmsoftware.com • @_wald0 - https://wald0.com • @PyroTek3 - https://adsecurity.org • @harmj0y - http://www.harmj0y.net • @_RastaMouse - https://rastamouse.me
What is a GPO? • Allows administrators to easily control the settings deployed to clients within an Active Directory environment. • Configure settings for User and Computer accounts • Can be Local or in Active Directory
Components of a GPO • Group Policy Container (GPC) • Group Policy Template (GPT) Also, • Client-Side Extensions (CSEs)
Group Policy Container (GPC)
• displayName • gPCFileSysPath • versionNumber • gPCMachineExtensionNames and gPCUserExtensionNames Group Policy Container (GPC) Important Attributes:
Group Policy Template (GPT)
Client-Side Extensions (CSEs) • DLLs installed on clients • Used to process GPO settings • Identified by a GUID • Found in the gPCMachineExtensionNames and gPCUserExtensionNames attributes of a GPO • Special order
Client-Side Extensions (CSEs) • gPCMachineExtensionNames value when Audit Policy is configured [ {827D319E-6EAC-11D2-A4EA-00C04F79F83A} //Security Settings {803E14A0-B4FB-11D0-A0D0-00A0C90F574B} //Computer Restricted Groups ] • gPCMachineExtensionNames value after adding a Startup Script [ {42B5FAAE-6536-11D2-AE5A-0000F87571E3} //Process Scripts Group Policy {40B6664F-4972-11D1-A7CA-0000F87571E3} //Startup - Shutdown Scripts ] [ {827D319E-6EAC-11D2-A4EA-00C04F79F83A} //Security Settings {803E14A0-B4FB-11D0-A0D0-00A0C90F574B} //Computer Restricted Groups ]
Client-Side Extensions (CSEs) https://blogs.technet.microsoft.com/mempson/2010/12/01/group-policy-client-side-extension-list/
GPO Precedence and Inheritance What happens when multiple GPOs apply to a client? • Local • Site • Domain • OU
GPO Precedence and Inheritance • What happens when multiple GPOs are linked to the same OU?
Blocking and Enforcement Settings that can affect the GPO processing order: • Block Inheritance • Enforcement
Enforcement and Precedence
Enforcement and Precedence
Enforcement and Precedence
GPO Processing There are 2 types of GPO processing: • Foreground – All settings are processed – Affects login/logoff times • Background – Applied at regular intervals – Not all settings are processed
The GpLink Attribute
The GpLink Attribute GPLinkOptions: • 0: The GPO is not enforced. This is the default value • 1: The GPO link is not enabled • 2: The GPO is enforced • 3: The GPO is enforced but not enabled [LDAP://cn={9CD1C444-260F-40C6-A67B-E178446622A5},cn=policies,cn=system,DC=europa,DC=com;0] [LDAP://cn={77D3AFFC-1292-4DBE-AE89-CEDEE60BAD0E},cn=policies,cn=system,DC=europa,DC=com;2] [LDAP://cn={C877A421-BF69-439E-89C3-99CF82C71299},cn=policies,cn=system,DC=europa,DC=com;2]
Bringing everything together
Bringing everything together
Bringing everything together
Bringing everything together
Bringing everything together
Bringing everything together
GPO Permissions • Owns • GenericAll • GenericWrite • WriteProperty • WriteDACL • WriteOwner https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
Hunting for weak GPO permissions Tools of the trade: • accesschk.exe, icacls, etc • BloodHound – https://github.com/BloodHoundAD/BloodHound • PowerView – https://github.com/PowerShellMafia/PowerSploit • Grouper2 – https://github.com/l0ss/Grouper2
BloodHound • Released in 2016 by @_wald0, @CptJesus and @harmj0y • Uses graph theory to reveal relationships between active directory components • An ingestor collects data that can be loaded onto a neo4j database • Useful for both Red and Blue teams
BloodHound
BloodHound and GPOs • If a gPLink is dotted then the GPO is not enforced • If a gPLink is solid then the GPO is Enforced • If a Contains link is dotted then Block Inheritance is enabled
BloodHound and GPOs
BloodHound and GPOs
What about in real life? • Misconfigurations are very common • Multiple instances where arbitrary “low-privileged” users were able to modify a GPO
Example 1 – Compromise Computer
Example 2 – Compromise User
Exploiting these scenarios • Group Policy Management Console (GPMC) • Manually edit GPC and GPT • SharpGPOAbuse 
Group Policy Management Console (GPMC)
Manual Exploitation • Each GPO settings has different dependencies: – Hidden .ini files – Various .xml files • Error prone • Time consuming
Manual Exploitation Things to be remember: • CSE order in gPCMachineExtensionNames and gPCUserExtensionNames • Version number in GPT.ini and versionNumber attribute must be the same. – versionNumber = {User Node: upper 16 bits}{Machine Node: lower 16 bits}
Manual Exploitation Adding a user to the local Administrators group: • Find the SID of the user we want to add as a local admin • Get the GUID of the target GPO • Create SYSVOLdomainPolicies{GUID}MachineMicrosoftWindows NTSecEditGptTmpl.inf with the following contents: [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Group Membership] *S-1-5-32-544__Memberof = *S-1-5-32-544__Members = *<USER-SID>
Manual Exploitation • Calculate the new GPO version • Update the value of the version parameter in SYSVOLdomainPolicies{GUID}GPT.ini • Update the versionNumber attribute in the GPC • Find the values of the required CSEs and add them sorted in the gPCMachineExtensionNames attribute of the GPO object • Hope you didn’t mess anything up 
SharpGPOAbuse • .NET application written in C# • Simplifies the process – a lot • Can be used to exploit both Computer and User GPO settings
SharpGPOAbuse - Functionality Currently supports the following: • Add rights to user (SeDebugPrivilege, SeImpersonatePrivilege, etc.) • Add startup scripts • Add immediate tasks to user or computer • Add user to local Administrators group
Example 1 – Compromise Computer
Example 2 – Compromise User
Bonus - What about cross domain? • GPOs can also apply to different domains • New PR to SharpHound • You can use SharpGPOAbuse to abuse this scenario as well 
Bonus - What about cross domain?
Related Links SharpGPOAbuse • https://github.com/mwrlabs/SharpGPOAbuse Additional Links • https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy- basics-part-1-understanding-the-structure-of-a-group-policy-object/#comments • http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ • https://wald0.com/?p=179 • https://adsecurity.org/?p=2716 • https://rastamouse.me/2019/01/gpo-abuse-part-2/ • https://rastamouse.me/2019/01/gpo-abuse-part-1/
The End Questions?

More Related Content

PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
PDF
Carlos García - Pentesting Active Directory Forests [rooted2019]
byRootedCON
 
PPTX
I hunt sys admins 2.0
byWill Schroeder
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
PDF
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
byRootedCON
 
I hunt sys admins 2.0
byWill Schroeder
 
Attacker's Perspective of Active Directory
bySunny Neo
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 

What's hot

PDF
ReCertifying Active Directory
byWill Schroeder
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
PDF
Ace Up the Sleeve
byWill Schroeder
 
PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PDF
Not a Security Boundary
byWill Schroeder
 
PDF
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
PPTX
Here Be Dragons: The Unexplored Land of Active Directory ACLs
byAndy Robbins
 
PDF
An introduction to SSH
bynussbauml
 
PDF
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
PDF
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
byWill Schroeder
 
PDF
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
PDF
Securing AEM webapps by hacking them
byMikhail Egorov
 
PDF
Linux Performance Analysis: New Tools and Old Secrets
byBrendan Gregg
 
PDF
DNS hijacking using cloud providers – No verification needed
byFrans Rosén
 
PDF
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
PDF
BPF: Tracing and more
byBrendan Gregg
 
PDF
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
ReCertifying Active Directory
byWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
Ace Up the Sleeve
byWill Schroeder
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
Not a Security Boundary
byWill Schroeder
 
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
byAndy Robbins
 
An introduction to SSH
bynussbauml
 
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
byWill Schroeder
 
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
Securing AEM webapps by hacking them
byMikhail Egorov
 
Linux Performance Analysis: New Tools and Old Secrets
byBrendan Gregg
 
DNS hijacking using cloud providers – No verification needed
byFrans Rosén
 
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
BPF: Tracing and more
byBrendan Gregg
 
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 

Similar to (Ab)Using GPOs for Active Directory Pwnage

PPTX
Group Policy Windows Server 2008
byUnitek Eduation
 
PPTX
Useful Group Policy Concepts
byRob Dunn
 
PPT
Ad group policy1
bydenogx
 
PPTX
Microsoft Offical Course 20410C_11
bygameaxt
 
PPTX
Securing Windows with Group Policy
byJosh Rickard
 
PPT
Understanding Group Policy Object Windows Server
byAndikSusilo4
 
PPTX
Group policy Best Practices
byRob Dunn
 
PDF
Group Policy
byChris Watson
 
PPT
Mcts chapter 7
bySadegh Nakhjavani
 
PDF
BloodHound Unleashed.pdf
byn00py1
 
DOCX
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend .docx
byvanesaburnand
 
PPTX
10 implementing GPOs
byHameda Hurmat
 
DOC
Window 2003 server group policy AD
bysentmery5
 
PPTX
Group policy preferences
byRob Dunn
 
PPT
Group policy objects
byMianMuhammadMuaz
 
PPTX
A.Group Policy and group policy obj.pptx
byRosannaFranciscoFlor
 
PPT
Configuring Windows Using Group Policy.ppt
bysudsdeep
 
PPTX
Pentest Apocalypse
byBeau Bullock
 
PPT
70 640 Lesson07 Ppt 041009
byCoffeyville Community College
 
PPT
Chapter09 Implementing And Using Group Policy
byRaja Waseem Akhtar
 
Group Policy Windows Server 2008
byUnitek Eduation
 
Useful Group Policy Concepts
byRob Dunn
 
Ad group policy1
bydenogx
 
Microsoft Offical Course 20410C_11
bygameaxt
 
Securing Windows with Group Policy
byJosh Rickard
 
Understanding Group Policy Object Windows Server
byAndikSusilo4
 
Group policy Best Practices
byRob Dunn
 
Group Policy
byChris Watson
 
Mcts chapter 7
bySadegh Nakhjavani
 
BloodHound Unleashed.pdf
byn00py1
 
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend .docx
byvanesaburnand
 
10 implementing GPOs
byHameda Hurmat
 
Window 2003 server group policy AD
bysentmery5
 
Group policy preferences
byRob Dunn
 
Group policy objects
byMianMuhammadMuaz
 
A.Group Policy and group policy obj.pptx
byRosannaFranciscoFlor
 
Configuring Windows Using Group Policy.ppt
bysudsdeep
 
Pentest Apocalypse
byBeau Bullock
 
70 640 Lesson07 Ppt 041009
byCoffeyville Community College
 
Chapter09 Implementing And Using Group Policy
byRaja Waseem Akhtar
 

Recently uploaded

PDF
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovico Besana
 
PDF
Digital Finance Summit 2025 - Prismos by Pepijn Mores
byFinTech Belgium
 
PPTX
How to Change Author in PowerPoint: Update Authorship & Manage Metadata
byjinchaoruan
 
PPTX
WASTEWATER TREATMENT LABORATORY TRAINING.pptx
byImadAghila
 
PDF
Classification and adoption of AI technologies for use in parliaments
byProf. Dr. Fotios Fitsilis
 
PPTX
2025-12-07 Moses 10 (shared slides).pptx
byDale Wells
 
PPTX
Digital Finance Summit 2025 - Vyntra by Joris Lochy
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Thomas Vissers
byFinTech Belgium
 
PDF
Information and compensation plan - ExFusion / NEO.FX - Forex - English
byMining RACE
 
PPTX
Life skill habit-3 put first thing first -N (1).pptx
byssuser4f8a7e1
 
PDF
Digital Finance Summit 2025 - Joris Germonpré
byFinTech Belgium
 
PPT
Fast approximate minimum spanning tree based clustering algorithm
byMd. Shakil Hossain
 
PPTX
Digital Finance Summit 2025 - Balint Kis
byFinTech Belgium
 
PPTX
Bob Stewart Unexpected Arrival 12 07 2025.pptx
byFamilyWorshipCenterD
 
PPTX
Digital Finance Summit 2025-Benoit van den Hove
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Inna Kostiuk and Pavlo Denysiuk
byFinTech Belgium
 
PDF
OSMC 2025: Current State of Icinga by Bernd Erk.pdf
byNETWAYS
 
PPTX
Digital Finance Summit 2025 - David Van der Looven
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Cédric Nève
byFinTech Belgium
 
PPTX
How to Create a Timeline in PowerPoint|Step-by-Step Guide
byzhiqiangjiang1
 
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovico Besana
 
Digital Finance Summit 2025 - Prismos by Pepijn Mores
byFinTech Belgium
 
How to Change Author in PowerPoint: Update Authorship & Manage Metadata
byjinchaoruan
 
WASTEWATER TREATMENT LABORATORY TRAINING.pptx
byImadAghila
 
Classification and adoption of AI technologies for use in parliaments
byProf. Dr. Fotios Fitsilis
 
2025-12-07 Moses 10 (shared slides).pptx
byDale Wells
 
Digital Finance Summit 2025 - Vyntra by Joris Lochy
byFinTech Belgium
 
Digital Finance Summit 2025 - Thomas Vissers
byFinTech Belgium
 
Information and compensation plan - ExFusion / NEO.FX - Forex - English
byMining RACE
 
Life skill habit-3 put first thing first -N (1).pptx
byssuser4f8a7e1
 
Digital Finance Summit 2025 - Joris Germonpré
byFinTech Belgium
 
Fast approximate minimum spanning tree based clustering algorithm
byMd. Shakil Hossain
 
Digital Finance Summit 2025 - Balint Kis
byFinTech Belgium
 
Bob Stewart Unexpected Arrival 12 07 2025.pptx
byFamilyWorshipCenterD
 
Digital Finance Summit 2025-Benoit van den Hove
byFinTech Belgium
 
Digital Finance Summit 2025 - Inna Kostiuk and Pavlo Denysiuk
byFinTech Belgium
 
OSMC 2025: Current State of Icinga by Bernd Erk.pdf
byNETWAYS
 
Digital Finance Summit 2025 - David Van der Looven
byFinTech Belgium
 
Digital Finance Summit 2025 - Cédric Nève
byFinTech Belgium
 
How to Create a Timeline in PowerPoint|Step-by-Step Guide
byzhiqiangjiang1
 

(Ab)Using GPOs for Active Directory Pwnage

  • 1.
    (Ab)Using GPOs ForActive Directory Pwnage Petros Koutroumpis - @pkb1s Dennis Panagiotopoulos - @den_n1s Red Team Village | DEF CON 27
  • 2.
    Agenda • GPO Internals •Hunting for weak GPO permissions • Example scenarios • Exploitation methods and SharpGPOAbuse
  • 3.
    Previous Work • @grouppolicyguy- https://sdmsoftware.com • @_wald0 - https://wald0.com • @PyroTek3 - https://adsecurity.org • @harmj0y - http://www.harmj0y.net • @_RastaMouse - https://rastamouse.me
  • 4.
    What is aGPO? • Allows administrators to easily control the settings deployed to clients within an Active Directory environment. • Configure settings for User and Computer accounts • Can be Local or in Active Directory
  • 5.
    Components of aGPO • Group Policy Container (GPC) • Group Policy Template (GPT) Also, • Client-Side Extensions (CSEs)
  • 6.
  • 7.
    • displayName • gPCFileSysPath •versionNumber • gPCMachineExtensionNames and gPCUserExtensionNames Group Policy Container (GPC) Important Attributes:
  • 8.
  • 9.
    Client-Side Extensions (CSEs) •DLLs installed on clients • Used to process GPO settings • Identified by a GUID • Found in the gPCMachineExtensionNames and gPCUserExtensionNames attributes of a GPO • Special order
  • 10.
    Client-Side Extensions (CSEs) •gPCMachineExtensionNames value when Audit Policy is configured [ {827D319E-6EAC-11D2-A4EA-00C04F79F83A} //Security Settings {803E14A0-B4FB-11D0-A0D0-00A0C90F574B} //Computer Restricted Groups ] • gPCMachineExtensionNames value after adding a Startup Script [ {42B5FAAE-6536-11D2-AE5A-0000F87571E3} //Process Scripts Group Policy {40B6664F-4972-11D1-A7CA-0000F87571E3} //Startup - Shutdown Scripts ] [ {827D319E-6EAC-11D2-A4EA-00C04F79F83A} //Security Settings {803E14A0-B4FB-11D0-A0D0-00A0C90F574B} //Computer Restricted Groups ]
  • 11.
  • 12.
    GPO Precedence andInheritance What happens when multiple GPOs apply to a client? • Local • Site • Domain • OU
  • 13.
    GPO Precedence andInheritance • What happens when multiple GPOs are linked to the same OU?
  • 14.
    Blocking and Enforcement Settingsthat can affect the GPO processing order: • Block Inheritance • Enforcement
  • 15.
  • 16.
  • 17.
  • 18.
    GPO Processing There are2 types of GPO processing: • Foreground – All settings are processed – Affects login/logoff times • Background – Applied at regular intervals – Not all settings are processed
  • 19.
  • 20.
    The GpLink Attribute GPLinkOptions: •0: The GPO is not enforced. This is the default value • 1: The GPO link is not enabled • 2: The GPO is enforced • 3: The GPO is enforced but not enabled [LDAP://cn={9CD1C444-260F-40C6-A67B-E178446622A5},cn=policies,cn=system,DC=europa,DC=com;0] [LDAP://cn={77D3AFFC-1292-4DBE-AE89-CEDEE60BAD0E},cn=policies,cn=system,DC=europa,DC=com;2] [LDAP://cn={C877A421-BF69-439E-89C3-99CF82C71299},cn=policies,cn=system,DC=europa,DC=com;2]
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
    GPO Permissions • Owns •GenericAll • GenericWrite • WriteProperty • WriteDACL • WriteOwner https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
  • 28.
    Hunting for weakGPO permissions Tools of the trade: • accesschk.exe, icacls, etc • BloodHound – https://github.com/BloodHoundAD/BloodHound • PowerView – https://github.com/PowerShellMafia/PowerSploit • Grouper2 – https://github.com/l0ss/Grouper2
  • 29.
    BloodHound • Released in2016 by @_wald0, @CptJesus and @harmj0y • Uses graph theory to reveal relationships between active directory components • An ingestor collects data that can be loaded onto a neo4j database • Useful for both Red and Blue teams
  • 30.
  • 31.
    BloodHound and GPOs •If a gPLink is dotted then the GPO is not enforced • If a gPLink is solid then the GPO is Enforced • If a Contains link is dotted then Block Inheritance is enabled
  • 32.
  • 33.
  • 34.
    What about inreal life? • Misconfigurations are very common • Multiple instances where arbitrary “low-privileged” users were able to modify a GPO
  • 35.
    Example 1 –Compromise Computer
  • 36.
    Example 2 –Compromise User
  • 37.
    Exploiting these scenarios •Group Policy Management Console (GPMC) • Manually edit GPC and GPT • SharpGPOAbuse 
  • 38.
  • 39.
    Manual Exploitation • EachGPO settings has different dependencies: – Hidden .ini files – Various .xml files • Error prone • Time consuming
  • 40.
    Manual Exploitation Things tobe remember: • CSE order in gPCMachineExtensionNames and gPCUserExtensionNames • Version number in GPT.ini and versionNumber attribute must be the same. – versionNumber = {User Node: upper 16 bits}{Machine Node: lower 16 bits}
  • 41.
    Manual Exploitation Adding auser to the local Administrators group: • Find the SID of the user we want to add as a local admin • Get the GUID of the target GPO • Create SYSVOLdomainPolicies{GUID}MachineMicrosoftWindows NTSecEditGptTmpl.inf with the following contents: [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Group Membership] *S-1-5-32-544__Memberof = *S-1-5-32-544__Members = *<USER-SID>
  • 42.
    Manual Exploitation • Calculatethe new GPO version • Update the value of the version parameter in SYSVOLdomainPolicies{GUID}GPT.ini • Update the versionNumber attribute in the GPC • Find the values of the required CSEs and add them sorted in the gPCMachineExtensionNames attribute of the GPO object • Hope you didn’t mess anything up 
  • 43.
    SharpGPOAbuse • .NET applicationwritten in C# • Simplifies the process – a lot • Can be used to exploit both Computer and User GPO settings
  • 44.
    SharpGPOAbuse - Functionality Currentlysupports the following: • Add rights to user (SeDebugPrivilege, SeImpersonatePrivilege, etc.) • Add startup scripts • Add immediate tasks to user or computer • Add user to local Administrators group
  • 45.
    Example 1 –Compromise Computer
  • 47.
    Example 2 –Compromise User
  • 49.
    Bonus - Whatabout cross domain? • GPOs can also apply to different domains • New PR to SharpHound • You can use SharpGPOAbuse to abuse this scenario as well 
  • 50.
    Bonus - Whatabout cross domain?
  • 52.
    Related Links SharpGPOAbuse • https://github.com/mwrlabs/SharpGPOAbuse AdditionalLinks • https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy- basics-part-1-understanding-the-structure-of-a-group-policy-object/#comments • http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ • https://wald0.com/?p=179 • https://adsecurity.org/?p=2716 • https://rastamouse.me/2019/01/gpo-abuse-part-2/ • https://rastamouse.me/2019/01/gpo-abuse-part-1/
  • 53.