Infiltr8ForumGitHub

Group policies

Theory

In certain scenarios, an attacker can gain control over GPOs. Some ACEs can give that control (see this BlackHat conf, page 28):

  • WriteProperty to the GPC-File-Sys-Path property of a GPO (specific GUID specified)

  • GenericAll, GenericWrite, WriteProperty to any property (no GUID specified)

  • WriteDacl, WriteOwner

This page is about enumeration, for GPO-based attacks, please refer to this page.

Practice

PowerView

We can enumerate interesting GPO's domain Object's ACL using Get-NetGPO and Get-ObjectAcl from Powersploit's Powerview.

#Enumerate all GPO ACLs
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} |select-object @{Name='SecurityIdentifierName';Expression={"$($_.SecurityIdentifier.Value|Convert-SidToName)"}},@{Name='SecurityIdentifierSID';Expression={"$($_.SecurityIdentifier.Value)"}},@{Name='ActiveDirectoryRights';Expression={"$($_.ActiveDirectoryRights)"}},ObjectDN|ConvertTo-Json -Compress|Out-File gpos.json

Then, on your attacking machine, we can use the following command to format results

#From UTF-16LE to UTF-8
dos2unix gpo.json

#Parsing json results
cat gpo.json|jq '.[]| "\(.SecurityIdentifierName):\(.SecurityIdentifierSID) | Have: \(.ActiveDirectoryRights) | On: \(.ObjectDN)"'

You may resolve computer names linked with a GPO as follow 

Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}

Resources

Last updated