📔Enumerating Group Policy Objects (GPOs)

GPO Abuse

• Adding additional rights to a user

• Adding a local admin

• Creating an immediate scheduled task

Gain Persistence Via GPOs

• Configure a GPO to run any of the above attacks.

• Create a scheduled task to modify group membership, add an account, run DCSync, or send back a reverse shell connection.

• Install targeted malware across the entire Domain.

Gathering GPO Data

GPO Names

Code

Get-DomainGPO | select displayname

Specific Computer

Code

Get-DomainGPO -ComputerName WS01 | select displayname

gpresult (Built-in Tool)

Code

gpresult /r /user:harry.jones

gpresult /r /S WS01

Output Result in HTML

Code

gpresult /h gpo_report.html

GPO Permissions

Get-DomainGPO | Get-ObjectAcl

Code

Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq 'S-1-5-21-2974783224-3764228556-2640795941-513'}

Get-GPO

Code

Get-GPO -Guid 831DE3ED-40B1-4703-ABA7-8EA13B2EB118

Example

DisplayName      : Screensaver
DomainName       : INLANEFREIGHT.LOCAL
Owner            : INLANEFREIGHT\Domain Admins
Id               : 831de3ed-40b1-4703-aba7-8ea13b2eb118
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 8/26/2020 10:46:46 PM
ModificationTime : 8/26/2020 11:11:01 PM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 0, SysVol Version: 0
WmiFilter        :

Code Execution Via GP

Paths

• Add Registry Autoruns

• Software Installation (Install MSI Package that exists on a share)

• Scripts in the Startup/Shutdown for a Machine or User

• Create Shortcuts on Desktops that point to files

• Scheduled Tasks

If any of the paths points to a file on a share, enumerate the permissions to check if non-administrators can edit the file. The tools will often miss this because they only look at if the Group Policy itself is write-able, not if the executables/scripts the group policy references are writeable.