📒

Group Policy Abuse

Tags

Identify

Get-GPO -All | Select DisplayName
list all GPO names

Check if group has control

$sid=Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
look for things like WriteProperty and WriteDacl

Converting GPO GUID to Name

Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532

group3r

Embed GitHubEmbed GitHub

group3r.exe -f <filepath-name.log> 
run on domain=joined host as a domain user

In BloodHound

Checking in BloodHound, we can see that the Domain Users group has several rights over the Disconnect Idle RDP GPO, which could be leveraged for full control of the object.

image

If we select the GPO in BloodHound and scroll down to Affected Objects on the Node Info tab, we can see that this GPO is applied to one OU, which contains four computer objects.

image

Exploit

We could use a tool such as SharpGPOAbuse to take advantage of this GPO misconfiguration by performing actions such as adding a user that we control to the local admins group on one of the affected hosts, creating an immediate scheduled task on one of the hosts to give us a reverse shell, or configure a malicious computer startup script to provide us with a reverse shell or similar.