GPO modification attack
Last updated
Last updated
GPO exists. by Default, Default Domain Policy exits.
GPO ADMIN (group or account) has GenericAll privilege to the GPO.
A compromised account is a member of GPO ADMIN group or has GenericAll or WriteDACL privileges to the GPO Admin account.
If with Write DACL, update the privilege to Generic All.
Here is a vulnerable bloodhound result. A user is a member of GPO Admins group that has GenericWrite as well as WriteDacl and WriteOwner permissions to the GPO. You can edit the GPO.
The example below shows the 'Support' account is a member of GPO Admins. In this case, you can use current 'Support' account and its credential to use SharpGPOAbuse.exe to escalate the privilege to the Administrator Groups - by adding the account to the local Administrators group or by sending a reverse shell request back to Kali with Administrator privilege.
SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO. Reference: https://github.com/FSecureLABS/SharpGPOAbuse Pre-complied executable: https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.0_x64/SharpGPOAbuse.exe There are two options at least to escalate the privilege.
This example shoes Amelia.Griffiths is a member of Legacy Group, which has a WriteDACL to GPOADM account, which means that Amelia.Griffiths can change the password of GPOADM account. With the GPO ADM account and its new credential, you can run pyGPOAbuse.py to escalate the privilege to the Administrators group by creating a task to add the account to the local Administrators group. Or you can create a shadow account for GPO Admin account instead of having a new credential. With the shadow account, you can run pyGPOAbuse.py to do the same.
