Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / GPO

Matrix

PrimitiveRequired controlMain targetLinux toolingWindows toolingResult
SYSVOL reviewDomain user read accessSYSVOL and NETLOGONsmbclient, nxc, findstr equivalent, grepExplorer, PowerShell, findstrScripts, XML files, old credentials, configuration data
GPP secret recoveryRead access to policy XMLGroups.xml, Services.xml, ScheduledTasks.xml, Drives.xml, DataSources.xmlgpp-decrypt, Get-GPPPassword.py style toolingPowerShell, Get-GPPPasswordPlaintext or reusable credentials
Existing GPO editGenericWrite, GenericAll, GPO edit rights, or write access to GPC/GPTLinked GPOpyGPOAbuse, LDAP/SMB primitivesSharpGPOAbuse, GPMC, PowerShell GPO cmdletsCode execution or configuration change where the GPO applies
Immediate scheduled taskGPO edit rightsComputer side of a GPOpyGPOAbuseSharpGPOAbuse, New-GPOImmediateTaskOne-shot command execution on scoped machines
Local admin via GPOGPO edit rightsLocal Administrators group on scoped machinespyGPOAbuse with command, manual XMLSharpGPOAbuse, GPMC preferencesLocal privilege on scoped machines
Startup/logon scriptGPO edit rights and SYSVOL write pathMachine\Scripts\Startup, User\Scripts\LogonSMB file writes plus policy metadataGPMC, PowerShell, manual SYSVOL editScript execution during policy processing
Registry policy changeGPO edit rightsRegistry.pol or registry preference XMLManual file tooling, SMB writesSet-GPRegistryValue, GPMCConfiguration change, persistence, weakening control
GPO link modificationWrite access over OU/domain/site gPLinkOU, domain, siteLDAP tools, bloodyADNew-GPLink, Set-GPLink, PowerViewExisting policy applies to a new scope
Security filtering abuseGPO edit rights or ACL controlGPO DACLLDAP tools, bloodyADSet-GPPermission, GPMC, PowerViewPrincipals are added to or removed from the apply scope
GPO creation and linkingCreate GPO rights plus link rightsDomain or OULDAP/SMB toolingNew-GPO, New-GPLink, GPMCNew policy deployed to chosen scope
WMI filter abuseWrite rights over GPO or WMI filtergPCWQLFilter, msWMI-SomLDAP toolsGPMC, AD cmdletsPolicy scope narrowed, broadened, or redirected
GPO ACL abuseWriteDACL, WriteOwner, GenericAll, GenericWritegroupPolicyContainer objectbloodyAD, LDAP queriesPowerView, AD cmdletsGrant GPO edit rights, take ownership, chain into policy abuse

Risk matrix

ScopeImpact
Unlinked GPOUseful only if we can link it or if it is later linked by administrators
Workstation OULocal admin, code execution, user data access on workstation fleet
Server OULateral movement, service account access, application compromise
Domain Controllers OUTier 0 compromise
Domain rootBroad impact, but affected by inheritance, enforced links, filtering, and WMI filters