Skip to main content

Group Policy Objects

Group Policy Objects (GPO) is a Virtual Collection of Policy Settings. Each GPO has a Unique Name, called a GUID. AD GPO's are Stored in the SYSVOL Directory.

Each Windows Computer has a Local Policy Configuration. This contains Several notable Configurations such as, Application Configurations, Local Group Membership (Administrator - Remote Desktop Users Groups), Startup Configurations, Security Settings etc..


Exploiting GPO's

Required Privileges: Administrators

The simplest Solution would be adding an AD Account we Control to both the Local Administrators and Local Remote Desktop Users Groups.

This would also allow us to use the SSH, but not many Organizations have Upgrades to provide SSH Access. RDP and Lateral Movements with Tools like SMBExec are Better.

In order to Modify the GPO, we need to access Group Policy Management as the AD User that has the relevant Permissions.

Modifying the GPO

We could RDP into the Server with the Credentials of the User which has the Permissions to Modify the GPO, but that may Kick the User out of their Active Session, raising Suspicions.

Suggested Method: RDP into a Machine you have Access with a Low Privileged User. Inject the AD User Credentials into Memory using the runas Command, and open MMC to Modify the GPO.


:: Provide the Password once Prompted
runas /netonly /user:za.adobe.loc\AD-Username cmd.exe

:: Verify that you provided the Correct Credentials
dir \\za.adobe.loc\sysvol

:: Start the Microsoft Management Console
mmc

Microsoft Management Console

  • Next Step is to add the Group Policy Management Snap-In:
    • Click FileAdd/Remove Snap-In
    • Select the Group Policy Management Snap-In and click Add
    • Click OK

We can now navigate to the GPO that our User has Permission to Modify (Servers > Management Servers > Management Server Pushes).

We can Right-Click on the GPO and select Edit. This will Open the new Group Policy Management Editor Window.


  • To add our account to the Local Groups, we need to perform this Steps:
    • Expand Computer Configuration
    • Expand Policies
    • Expand Windows Settings
    • Expand Security Settings
    • Right Click on Restricted Groups and select Add Group
    • Click Browse, enter [The Group Name you want to Compromise] and click Check Names
    • Click Okay Twice

The First Filter is not used. For the Second Filter, we want to add both the Administrators and Remote Desktop Users Groups. Once the configuration has been made, we can click Apply and OK.

Now we need a maximum of 15 Minutes for the GPO to be Applied (This can be Changed by the System Administrators).


info

After this, our Account that is Part of the Compromised Group will now have Administrative and RDP Permissions on the Server that the Administrative User Applied the Settings.

:: This Command can be Used to Verify the Permissions
whoami /groups