GPO On-Site Attack
This technique can be used to move from the child domain to the parent one. The steps are the following:
Create a malicious GPO on the Child DC.
Query the Root Domain to identify the
replication site
of theRoot Domain
.Link the
created
GPO to theDefault Replication
Site of the Root DC asSYSTEM
Upon completion of replication, confirm the presence of the created GPO within the
Root DC
.
We'll start by creating a GPO
With that set up we'll create a scheduled task inside that GPO that will add a new user
We can verify if the task has been added as we also have to make sure to set the Run a new instance in parallel
option
After this, it's time to link the GPO to the Default Replication
Site of the Root DC: to this we first have to retrieve the site
and then link the GPO to it with a SYSTEM
shell
Now we can wait for the task to run and request a TGT for the backdoored user on the parent DC.
The target might need to be reset after the scheduled task ran.
Last updated