5.1.3 - GPO Abuse

Group Policy Object

GPO Abuse

There're multiple attacks that can be abused Group Policy Object such as:

• EvilGPOs (Immediate Schedule Task)

• Add Local Admin

• Modify Group Policy

• Grant Rights (Generic All)

• Grant Ownership

A GPO with overly permissive ACL can be abused for multiple attacks (attacks flagged are present into course):

In this case we're focusing on: Add Local Admin and Modify Group Policy.

GPOddity

GPOddity combines NTLM relaying and modification of Group Policy Container.

By relaying credentials of a user who has WriteDACL on GPO, we can modify the path (gPCFileSysPath) of the Group Policy Template (default is SYSVOL).

Using this, we can load malicious template from a location controller by attacker.

Lab

Refers to Learning Object 6 lab